Analysis Report Prueba de pago.exe

Overview

General Information

Sample Name: Prueba de pago.exe
Analysis ID: 319596
MD5: b3a244a097904a4d6689a582d7ec9985
SHA1: b16032d83c91ee333221fafadd5f2381ca659d78
SHA256: 286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
Tags: ESPexegeoHawkEye

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Deletes itself after installation
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: Prueba de pago.exe.5080.0.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Source: Prueba de pago.exe.5080.0.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Roaming\Windows Update.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 43%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Prueba de pago.exe Joe Sandbox ML: detected
Source: Prueba de pago.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.2.Windows Update.exe.27d0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.Prueba de pago.exe.2350000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.Prueba de pago.exe.2350000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 14.2.Windows Update.exe.2700000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 14.2.Windows Update.exe.2700000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.2.Windows Update.exe.2820000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.2.Windows Update.exe.2820000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.Prueba de pago.exe.2460000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.Prueba de pago.exe.2460000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.Windows Update.exe.2300000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.2.Windows Update.exe.2300000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 3.2.Windows Update.exe.2330000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 3.2.Windows Update.exe.2330000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 3.2.Windows Update.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 3.2.Windows Update.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.Windows Update.exe.960000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.2.Windows Update.exe.960000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 3.2.Windows Update.exe.22a0000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 3.2.Windows Update.exe.22a0000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.Prueba de pago.exe.2690000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.Windows Update.exe.8d0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 1.2.Prueba de pago.exe.22c0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 3.2.Windows Update.exe.2210000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.1.Windows Update.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.1.Windows Update.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.Windows Update.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.2.Windows Update.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.Prueba de pago.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.Prueba de pago.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 14.2.Windows Update.exe.2310000.2.unpack Avira: Label: TR/Crypt.ULPM.Gen
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.2.Windows Update.exe.27d0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.Prueba de pago.exe.2350000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.Prueba de pago.exe.2350000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 14.2.Windows Update.exe.2700000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 14.2.Windows Update.exe.2700000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 2.2.Windows Update.exe.2820000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 2.2.Windows Update.exe.2820000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.Prueba de pago.exe.2460000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.Prueba de pago.exe.2460000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.Windows Update.exe.2300000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.2.Windows Update.exe.2300000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 3.2.Windows Update.exe.2330000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 3.2.Windows Update.exe.2330000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 3.2.Windows Update.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 3.2.Windows Update.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.Windows Update.exe.960000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.2.Windows Update.exe.960000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 3.2.Windows Update.exe.22a0000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 3.2.Windows Update.exe.22a0000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.Prueba de pago.exe.2690000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.Windows Update.exe.8d0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 1.2.Prueba de pago.exe.22c0000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 3.2.Windows Update.exe.2210000.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.1.Windows Update.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.1.Windows Update.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 15.2.Windows Update.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 15.2.Windows Update.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 1.2.Prueba de pago.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 1.2.Prueba de pago.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 14.2.Windows Update.exe.2310000.2.unpack Avira: Label: TR/Crypt.ULPM.Gen

Spreading:

barindex
May infect USB drives
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Prueba de pago.exe Binary or memory string: autorun.inf
Source: Prueba de pago.exe Binary or memory string: [autorun]
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe Binary or memory string: autorun.inf
Source: Windows Update.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WERF1FE.tmp.mdmp.9.dr Binary or memory string: autorun.inf
Source: WERF1FE.tmp.mdmp.9.dr Binary or memory string: [autorun]
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Prueba de pago.exe Binary or memory string: autorun.inf
Source: Prueba de pago.exe Binary or memory string: [autorun]
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe Binary or memory string: autorun.inf
Source: Windows Update.exe Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WERF1FE.tmp.mdmp.9.dr Binary or memory string: autorun.inf
Source: WERF1FE.tmp.mdmp.9.dr Binary or memory string: [autorun]
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004089B8 FindFirstFileA,GetLastError, 0_2_004089B8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405AE8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004089B8 FindFirstFileA,GetLastError, 0_2_004089B8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405AE8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_004089B8 FindFirstFileA,GetLastError, 2_2_004089B8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 2_2_00405AE8

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49728 -> 217.76.146.62:587
Source: global traffic TCP traffic: 192.168.2.3:49728 -> 217.76.146.62:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.155.36 104.16.155.36
Source: Joe Sandbox View IP Address: 104.16.155.36 104.16.155.36
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49728 -> 217.76.146.62:587
Source: global traffic TCP traffic: 192.168.2.3:49728 -> 217.76.146.62:587
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_021EA186 recv, 3_2_021EA186
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_021EA186 recv, 3_2_021EA186
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Prueba de pago.exe, Windows Update.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000003.257268952.0000000000A0C000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000003.257268952.0000000000A0C000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: Prueba de pago.exe, Windows Update.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000003.257268952.0000000000A0C000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.facebook.com (Facebook)
Source: vbc.exe, 00000006.00000003.257268952.0000000000A0C000.00000004.00000001.sdmp String found in binary or memory: s://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287res://C:\Windows\system32\mmcndmgr.dll/views.htmhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/http://go.microsoft.com/fwlink/?LinkId=838604http://go.microsoft.com/fwlink/http://go.microsoft.com/fwlink/p/?LinkId=255141http://go.microsoft.com/fwlink/p/https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login. equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: 49.124.12.0.in-addr.arpa
Source: unknown DNS traffic detected: queries for: 49.124.12.0.in-addr.arpa
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp String found in binary or memory: http://go.microsoft.
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp String found in binary or memory: http://go.microsoft.LinkId=42127
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: Prueba de pago.exe, Windows Update.exe, Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, WERF1FE.tmp.mdmp.9.dr String found in binary or memory: http://whatismyipaddress.com/-
Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.comx&
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Prueba de pago.exe, 00000001.00000003.220190167.0000000005171000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Prueba de pago.exe, 00000001.00000003.219120953.0000000005173000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.219169725.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comes
Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comg
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Prueba de pago.exe, 00000001.00000003.219169725.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comre
Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comsio
Source: Prueba de pago.exe, 00000001.00000003.219120953.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comues
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Prueba de pago.exe, 00000001.00000003.227606996.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers)
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.222925322.0000000005171000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Prueba de pago.exe, 00000001.00000003.222383609.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersX
Source: Prueba de pago.exe, 00000001.00000003.222480530.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersc
Source: Prueba de pago.exe, 00000001.00000003.222111568.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersd
Source: Prueba de pago.exe, 00000001.00000003.222071225.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersp
Source: Prueba de pago.exe, 00000001.00000003.222925322.0000000005171000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerst
Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comB.TTF_g
Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comt
Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comueno
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Prueba de pago.exe, 00000001.00000003.218163414.000000000515A000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.218282268.0000000005172000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Prueba de pago.exe, 00000001.00000003.218253485.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn$
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Prueba de pago.exe, 00000001.00000003.218253485.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnT
Source: Prueba de pago.exe, 00000001.00000003.218163414.000000000515A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnv
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Prueba de pago.exe, 00000001.00000003.224253184.0000000000B1B000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmQt
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Prueba de pago.exe, 00000001.00000003.221758265.0000000005176000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: Prueba de pago.exe, 00000001.00000003.227980976.0000000000B1B000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.fyB
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Prueba de pago.exe, 00000001.00000003.218985995.0000000005156000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnb
Source: Prueba de pago.exe, Windows Update.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: Windows Update.exe, 0000000F.00000002.305553059.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: Windows Update.exe, 0000000F.00000002.305535580.0000000002DF8000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com/
Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Windows Update.exe, 0000000F.00000002.305535580.0000000002DF8000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.comx&
Source: Prueba de pago.exe, Windows Update.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp String found in binary or memory: http://go.microsoft.
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp String found in binary or memory: http://go.microsoft.LinkId=42127
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: Prueba de pago.exe, Windows Update.exe, Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, WERF1FE.tmp.mdmp.9.dr String found in binary or memory: http://whatismyipaddress.com/-
Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.comx&
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Prueba de pago.exe, 00000001.00000003.220190167.0000000005171000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Prueba de pago.exe, 00000001.00000003.219120953.0000000005173000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.219169725.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comes
Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comg
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Prueba de pago.exe, 00000001.00000003.219169725.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comre
Source: Prueba de pago.exe, 00000001.00000003.219204649.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comsio
Source: Prueba de pago.exe, 00000001.00000003.219120953.0000000005173000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comues
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Prueba de pago.exe, 00000001.00000003.227606996.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers)
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.222925322.0000000005171000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Prueba de pago.exe, 00000001.00000003.222383609.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersX
Source: Prueba de pago.exe, 00000001.00000003.222480530.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersc
Source: Prueba de pago.exe, 00000001.00000003.222111568.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersd
Source: Prueba de pago.exe, 00000001.00000003.222071225.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersp
Source: Prueba de pago.exe, 00000001.00000003.222925322.0000000005171000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerst
Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comB.TTF_g
Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comt
Source: Prueba de pago.exe, 00000001.00000002.232193805.0000000000B10000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comueno
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Prueba de pago.exe, 00000001.00000003.218163414.000000000515A000.00000004.00000001.sdmp, Prueba de pago.exe, 00000001.00000003.218282268.0000000005172000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Prueba de pago.exe, 00000001.00000003.218253485.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn$
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Prueba de pago.exe, 00000001.00000003.218253485.0000000005172000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnT
Source: Prueba de pago.exe, 00000001.00000003.218163414.000000000515A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnv
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Prueba de pago.exe, 00000001.00000003.224253184.0000000000B1B000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmQt
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Prueba de pago.exe, 00000001.00000003.221758265.0000000005176000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: Prueba de pago.exe, 00000001.00000003.227980976.0000000000B1B000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.fyB
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Prueba de pago.exe, 00000001.00000002.236537294.00000000063D2000.00000004.00000001.sdmp, Windows Update.exe, 00000003.00000002.270324089.00000000051D0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.292639163.00000000051D0000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.308237547.0000000005100000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Prueba de pago.exe, 00000001.00000003.218985995.0000000005156000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnb
Source: Prueba de pago.exe, Windows Update.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: Windows Update.exe, 0000000F.00000002.305553059.0000000002E01000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com
Source: Windows Update.exe, 0000000F.00000002.305535580.0000000002DF8000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.com/
Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, Windows Update.exe, 0000000F.00000002.305535580.0000000002DF8000.00000004.00000001.sdmp String found in binary or memory: https://whatismyipaddress.comx&
Source: Prueba de pago.exe, Windows Update.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.305679255.0000000002E2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED
Source: Yara match File source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs .Net Code: HookKeyboard
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs .Net Code: HookKeyboard
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004070D2 OpenClipboard, 0_2_004070D2
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004070D2 OpenClipboard, 0_2_004070D2
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 0_2_004233B4
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004233B4 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 0_2_004233B4
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA, 0_2_00459724
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00459724 GetKeyboardState,SetKeyboardState,SendMessageA,SendMessageA, 0_2_00459724
Creates a DirectInput object (often for capturing keystrokes)
Source: WindowsUpdate.exe, 0000000B.00000002.275048131.00000000007BA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: WindowsUpdate.exe, 0000000B.00000002.275048131.00000000007BA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Window created: window name: CLIPBRDWNDCLASS
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004557F8 NtdllDefWindowProc_A, 0_2_004557F8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00456024
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_0044A3C8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture, 0_2_0043A6DC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0042E904 NtdllDefWindowProc_A, 0_2_0042E904
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00455F74
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004557F8 NtdllDefWindowProc_A, 0_2_004557F8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00456024
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_0044A3C8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0043A6DC NtdllDefWindowProc_A,GetCapture, 0_2_0043A6DC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0042E904 NtdllDefWindowProc_A, 0_2_0042E904
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00455F74
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_00490159 NtCreateSection, 1_2_00490159
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_004557F8 NtdllDefWindowProc_A, 2_2_004557F8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 2_2_00456024
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0044A3C8 GetSubMenu,SaveDC,RestoreDC,73BBB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 2_2_0044A3C8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0043A6DC NtdllDefWindowProc_A,GetCapture, 2_2_0043A6DC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0042E904 NtdllDefWindowProc_A, 2_2_0042E904
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 2_2_00455F74
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_00490159 NtCreateSection, 3_2_00490159
Detected potential crypto function
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0044A3C8 0_2_0044A3C8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0046F74C 0_2_0046F74C
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004759E0 0_2_004759E0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0044FECC 0_2_0044FECC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0044A3C8 0_2_0044A3C8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0046F74C 0_2_0046F74C
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004759E0 0_2_004759E0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0044FECC 0_2_0044FECC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0040D426 1_2_0040D426
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0040D523 1_2_0040D523
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0041D5AE 1_2_0041D5AE
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_00417646 1_2_00417646
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_004429BE 1_2_004429BE
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_00446AF4 1_2_00446AF4
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0046ABFC 1_2_0046ABFC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_00463C4D 1_2_00463C4D
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_00463CBE 1_2_00463CBE
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0040ED03 1_2_0040ED03
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_00463D2F 1_2_00463D2F
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_00463DC0 1_2_00463DC0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0040CF92 1_2_0040CF92
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0041AFA6 1_2_0041AFA6
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048F13D 1_2_0048F13D
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_00489976 1_2_00489976
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_004F9017 1_2_004F9017
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_004F90A8 1_2_004F90A8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_004A227A 1_2_004A227A
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_004B028E 1_2_004B028E
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_004A270E 1_2_004A270E
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0043C7BC 1_2_0043C7BC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0044A3C8 2_2_0044A3C8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0046F74C 2_2_0046F74C
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_004759E0 2_2_004759E0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0044FECC 2_2_0044FECC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_00489976 3_2_00489976
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_0048F13D 3_2_0048F13D
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004F9017 3_2_004F9017
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004F90A8 3_2_004F90A8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004A227A 3_2_004A227A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004B028E 3_2_004B028E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004A270E 3_2_004A270E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004A280B 3_2_004A280B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004B2896 3_2_004B2896
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004AC92E 3_2_004AC92E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004D7CA6 3_2_004D7CA6
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004DBDDC 3_2_004DBDDC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004FFEE4 3_2_004FFEE4
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004F8F35 3_2_004F8F35
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004A3FEB 3_2_004A3FEB
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004F8FA6 3_2_004F8FA6
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_004D1AA4 3_2_004D1AA4
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: String function: 004035DC appears 35 times
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: String function: 00404348 appears 78 times
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: String function: 004039A8 appears 40 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: String function: 004035DC appears 35 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: String function: 004E0D85 appears 35 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: String function: 00404348 appears 78 times
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: String function: 004039A8 appears 40 times
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: String function: 004035DC appears 35 times
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: String function: 0044BA9D appears 35 times
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: String function: 00404348 appears 78 times
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: String function: 004039A8 appears 40 times
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
PE file contains strange resources
Source: Prueba de pago.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Prueba de pago.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.3.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.13.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Prueba de pago.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Prueba de pago.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.1.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.3.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: WindowsUpdate.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.13.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Windows Update.exe.13.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Prueba de pago.exe, 00000000.00000002.215435609.00000000023E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs Prueba de pago.exe
Source: Prueba de pago.exe Binary or memory string: OriginalFilename vs Prueba de pago.exe
Source: Prueba de pago.exe Binary or memory string: OriginalFileName vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.236900578.00000000069E0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.236900578.00000000069E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.236774643.00000000068E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000000.00000002.215435609.00000000023E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs Prueba de pago.exe
Source: Prueba de pago.exe Binary or memory string: OriginalFilename vs Prueba de pago.exe
Source: Prueba de pago.exe Binary or memory string: OriginalFileName vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.236900578.00000000069E0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.236900578.00000000069E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs Prueba de pago.exe
Source: Prueba de pago.exe, 00000001.00000002.236774643.00000000068E0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Prueba de pago.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: phoneinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Section loaded: ext-ms-win-xblauth-console-l1.dll
Yara signature match
Source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Windows Update.e_1044ba73b302b1a19e09d2f83986d3c5672f_ffa3413f_105a0017\Report.wer, type: DROPPED Matched rule: SUSP_WER_Suspicious_Crash_Directory date = 2019-10-18, author = Florian Roth, description = Detects a crashed application executed in a suspicious directory, reference = https://twitter.com/cyb3rops/status/1185585050059976705, score =
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Windows Update.e_1044ba73b302b1a19e09d2f83986d3c5672f_ffa3413f_105a0017\Report.wer, type: DROPPED Matched rule: SUSP_WER_Suspicious_Crash_Directory date = 2019-10-18, author = Florian Roth, description = Detects a crashed application executed in a suspicious directory, reference = https://twitter.com/cyb3rops/status/1185585050059976705, score =
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: 'P304eOgb0Ivsce+Kn0miIbTnEuzghUPptCI2d9ERIgrdNqqG2jE7VvZdeG0JdAPc', 'yoFJcD2U+slghTYRvbTbN+57Zqztr8twrtqEFPhKlYWGOE9kQqOeaYS1Kg/f0Zbp', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@23/25@8/3
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00420A80 GetLastError,FormatMessageA, 0_2_00420A80
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00420A80 GetLastError,FormatMessageA, 0_2_00420A80
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00408B82 GetDiskFreeSpaceA, 0_2_00408B82
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00408B82 GetDiskFreeSpaceA, 0_2_00408B82
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource, 0_2_00417214
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00417214 FindResourceA,LoadResource,SizeofResource,LockResource, 0_2_00417214
Source: C:\Users\user\Desktop\Prueba de pago.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5388
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5388
Source: C:\Users\user\Desktop\Prueba de pago.exe File created: C:\Users\user\AppData\Local\Temp\SysInfo.txt Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe File created: C:\Users\user\AppData\Local\Temp\SysInfo.txt Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Prueba de pago.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Prueba de pago.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\Desktop\Prueba de pago.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Prueba de pago.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\Prueba de pago.exe File read: C:\Users\user\Desktop\Prueba de pago.exe Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe File read: C:\Users\user\Desktop\Prueba de pago.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
Source: unknown Process created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 2488
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
Source: C:\Users\user\Desktop\Prueba de pago.exe Process created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe' Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
Source: unknown Process created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
Source: unknown Process created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 2488
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
Source: C:\Users\user\Desktop\Prueba de pago.exe Process created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe' Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
Source: C:\Users\user\Desktop\Prueba de pago.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Prueba de pago.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: Prueba de pago.exe Static file information: File size 1129472 > 1048576
Source: Prueba de pago.exe Static file information: File size 1129472 > 1048576
Source: C:\Users\user\Desktop\Prueba de pago.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: rsaenh.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wkernel32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: bcrypt.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: ucrtbase.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: ws2_32.pdb0up source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Configuration.pdbKt0 source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wbemcomn.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 0000000F.00000002.308891234.0000000006730000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: msvcrt.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorlib.pdb:r source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wrpcrt4.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wntdll.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp
Source: Binary string: dhcpcsvc.pdb=p@ source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: mscoreei.pdbOs source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: powrprof.pdbBuP source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: winnsi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cryptsp.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: advapi32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\mscorlib.pdbj source: Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cordacwks.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\mscorlib.pdbh source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbz\AppData\Roaming\Windows Update.exe8 source: Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbz\AppData\Roaming\Windows Update.exe6 source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: ntmarta.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: schannel.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: bj\zTs5.pdb9j source: Prueba de pago.exe, 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, Windows Update.exe, 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, WindowsUpdate.exe, 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp
Source: Binary string: wwin32u.pdbup source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cryptsp.pdb`t0 source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: psapi.pdb7u` source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wkernelbase.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbPVs source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: shlwapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: version.pdbht source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Windows Update.exe, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
Source: Binary string: mscorjit.pdbbt source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Windows Update.exe, 0000000F.00000002.308904330.0000000006742000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Windows Update.exe, vbc.exe, 00000005.00000002.252405021.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
Source: Binary string: sxs.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: security.pdbHF0 source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: dwmapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mZqt usymbols\dll\mscorlib.pdbx source: Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: mscoree.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: Windows.Storage.pdbcw source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: ws2_32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: msasn1.pdb8u source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: nlaapi.pdb+p0 source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDB source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
Source: Binary string: iphlpapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: nsi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: jqt usymbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp
Source: Binary string: wmiutils.pdb_s source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: powrprof.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Configuration.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: ole32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: winnsi.pdb<p source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: security.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp, WERF1FE.tmp.mdmp.9.dr
Source: Binary string: comctl32v582.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: DWrite.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cfgmgr32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Drawing.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Management.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: combase.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: Windows.Storage.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorrc.pdbJnP source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: secur32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rasadhlp.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb/nP source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: dhcpcsvc.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
Source: Binary string: dwmapi.pdbHt0 source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: pnrpnsp.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cryptbase.pdbjt source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: NapiNSP.pdb/p source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Runtime.Remoting.pdb"n source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wsspicli.pdbkt source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: pnrpnsp.pdb-p` source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: shcore.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: .pdb* source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: wgdi32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: fltLib.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: shell32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: msvcr80.i386.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: msvcp_win.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: shfolder.pdbit`F source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: dnsapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rasapi32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wimm32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wwin32u.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: dnsapi.pdb1p source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: nlaapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: winhttp.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wUxTheme.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb?p source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorsec.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wmiutils.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: gdiplus.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: rtutils.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cordacwks.pdbPn source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorwks.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb@ source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: profapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: dhcpcsvc6.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: Kernel.Appcore.pdbGu source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wgdi32full.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorjit.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: sechost.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscoree.pdbWsP source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: shfolder.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wgdi32full.pdbmt@ source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rasman.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: fastprox.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wbemsvc.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: winrnr.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: msctf.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wmswsock.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: version.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wintrust.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rsaenh.pdb]t source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Xml.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorrc.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wbemcomn.pdbbs source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Windows.Forms.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: Kernel.Appcore.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: psapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: WMINet_Utils.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: fwpuclnt.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000F.00000002.303054120.00000000006B4000.00000004.00000020.sdmp
Source: Binary string: bcrypt.pdb[t source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wbemprox.pdbas source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Management.pdbX source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cryptbase.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: winrnr.pdb*p source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wuser32.pdb@w source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscoreei.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: bcryptprimitives.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: msvcp_win.pdb[w source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: oleaut32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wuser32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb{ source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
Source: Binary string: wbemprox.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: culture.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: crypt32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: edputil.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rsaenh.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wkernel32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: bcrypt.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: ucrtbase.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: ws2_32.pdb0up source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Configuration.pdbKt0 source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wbemcomn.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 0000000F.00000002.308891234.0000000006730000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: msvcrt.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorlib.pdb:r source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wrpcrt4.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wntdll.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp
Source: Binary string: dhcpcsvc.pdb=p@ source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbQ source: Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: mscoreei.pdbOs source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: powrprof.pdbBuP source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: winnsi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cryptsp.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: advapi32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\mscorlib.pdbj source: Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cordacwks.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\mscorlib.pdbh source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbz\AppData\Roaming\Windows Update.exe8 source: Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbz\AppData\Roaming\Windows Update.exe6 source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: ntmarta.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: schannel.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: bj\zTs5.pdb9j source: Prueba de pago.exe, 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, Windows Update.exe, 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, WindowsUpdate.exe, 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp
Source: Binary string: wwin32u.pdbup source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cryptsp.pdb`t0 source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: psapi.pdb7u` source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wkernelbase.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: 1?pC:\Windows\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbPVs source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: shlwapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: version.pdbht source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Windows Update.exe, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
Source: Binary string: mscorjit.pdbbt source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Windows Update.exe, 0000000F.00000002.308904330.0000000006742000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Windows Update.exe, vbc.exe, 00000005.00000002.252405021.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
Source: Binary string: sxs.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: security.pdbHF0 source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: dwmapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mZqt usymbols\dll\mscorlib.pdbx source: Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: mscoree.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: Windows.Storage.pdbcw source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: ws2_32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: msasn1.pdb8u source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: nlaapi.pdb+p0 source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDB source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
Source: Binary string: iphlpapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: nsi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: jqt usymbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp
Source: Binary string: wmiutils.pdb_s source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: powrprof.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Configuration.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: ole32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: winnsi.pdb<p source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: security.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorlib.pdb source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp, WERF1FE.tmp.mdmp.9.dr
Source: Binary string: comctl32v582.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: DWrite.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cfgmgr32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Drawing.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Management.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: combase.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: Windows.Storage.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorrc.pdbJnP source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: secur32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rasadhlp.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb/nP source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: dhcpcsvc.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
Source: Binary string: dwmapi.pdbHt0 source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: pnrpnsp.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cryptbase.pdbjt source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: NapiNSP.pdb/p source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Runtime.Remoting.pdb"n source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wsspicli.pdbkt source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: pnrpnsp.pdb-p` source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: shcore.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: .pdb* source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: wgdi32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: fltLib.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: shell32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: msvcr80.i386.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: msvcp_win.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: shfolder.pdbit`F source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: dnsapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rasapi32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wimm32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wwin32u.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: dnsapi.pdb1p source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: nlaapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: winhttp.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wUxTheme.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\diasymreader.pdb?p source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorsec.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wmiutils.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: gdiplus.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorlib.pdbH source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: rtutils.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cordacwks.pdbPn source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorwks.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb@ source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: profapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: dhcpcsvc6.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: f:\binaries.x86ret\bin\i386\Microsoft.VisualBasic.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: Kernel.Appcore.pdbGu source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wgdi32full.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorjit.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: sechost.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscoree.pdbWsP source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: shfolder.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wgdi32full.pdbmt@ source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rasman.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: fastprox.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wbemsvc.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: winrnr.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: msctf.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Windows Update.exe, vbc.exe, 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wmswsock.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: version.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wintrust.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: rsaenh.pdb]t source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Xml.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscorrc.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wbemcomn.pdbbs source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Windows.Forms.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: Kernel.Appcore.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: psapi.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: WMINet_Utils.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: fwpuclnt.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 0000000F.00000002.303054120.00000000006B4000.00000004.00000020.sdmp
Source: Binary string: bcrypt.pdb[t source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wbemprox.pdbas source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: System.Management.pdbX source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: cryptbase.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: winrnr.pdb*p source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wuser32.pdb@w source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: mscoreei.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: bcryptprimitives.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000003.00000002.271902823.00000000079CA000.00000004.00000010.sdmp, Windows Update.exe, 0000000F.00000002.309388287.000000000778A000.00000004.00000010.sdmp
Source: Binary string: msvcp_win.pdb[w source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: oleaut32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: wuser32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb{ source: Windows Update.exe, 00000003.00000002.265730699.00000000006D7000.00000004.00000020.sdmp
Source: Binary string: wbemprox.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.265834536.0000000000B55000.00000004.00000040.sdmp, Windows Update.exe, 0000000F.00000002.304460579.0000000002515000.00000004.00000040.sdmp
Source: Binary string: culture.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: crypt32.pdb source: WERF1FE.tmp.mdmp.9.dr
Source: Binary string: edputil.pdb source: WERF1FE.tmp.mdmp.9.dr

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Prueba de pago.exe Unpacked PE file: 1.2.Prueba de pago.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 3.2.Windows Update.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Unpacked PE file: 13.2.WindowsUpdate.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 15.2.Windows Update.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\Prueba de pago.exe Unpacked PE file: 1.2.Prueba de pago.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 3.2.Windows Update.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Unpacked PE file: 13.2.WindowsUpdate.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 15.2.Windows Update.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rsrc:R;.reloc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Prueba de pago.exe Unpacked PE file: 1.2.Prueba de pago.exe.2460000.3.unpack
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 3.2.Windows Update.exe.2330000.3.unpack
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 15.2.Windows Update.exe.2300000.3.unpack
Source: C:\Users\user\Desktop\Prueba de pago.exe Unpacked PE file: 1.2.Prueba de pago.exe.2460000.3.unpack
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 3.2.Windows Update.exe.2330000.3.unpack
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 15.2.Windows Update.exe.2300000.3.unpack
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Prueba de pago.exe Unpacked PE file: 1.2.Prueba de pago.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 3.2.Windows Update.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Unpacked PE file: 13.2.WindowsUpdate.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 15.2.Windows Update.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Prueba de pago.exe Unpacked PE file: 1.2.Prueba de pago.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 3.2.Windows Update.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Unpacked PE file: 13.2.WindowsUpdate.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Unpacked PE file: 15.2.Windows Update.exe.400000.0.unpack
.NET source code contains potential unpacker
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_004414DC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_004414DC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00441B28 push 00441BB5h; ret 0_2_00441BAD
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C020 push 0040C098h; ret 0_2_0040C090
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00430030 push 0043005Ch; ret 0_2_00430054
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C09A push 0040C10Bh; ret 0_2_0040C103
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C09C push 0040C10Bh; ret 0_2_0040C103
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C17A push 0040C1A8h; ret 0_2_0040C1A0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C17C push 0040C1A8h; ret 0_2_0040C1A0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00430198 push 004301C4h; ret 0_2_004301BC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004101B0 push 00410211h; ret 0_2_00410209
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00410214 push 00410415h; ret 0_2_0041040D
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C2A4 push eax; retn 0040h 0_2_0040C2B9
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004583D8 push 00458404h; ret 0_2_004583FC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00410418 push 0041055Ch; ret 0_2_00410554
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00426524 push 004265F4h; ret 0_2_004265EC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00410530 push 0041055Ch; ret 0_2_00410554
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx 0_2_0046A5E8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040659E push 004065F1h; ret 0_2_004065E9
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004065A0 push 004065F1h; ret 0_2_004065E9
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx 0_2_0041C6E9
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00406770 push 0040679Ch; ret 0_2_00406794
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00426704 push 00426730h; ret 0_2_00426728
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004667D8 push 00466804h; ret 0_2_004667FC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx 0_2_004627DD
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040682C push 00406858h; ret 0_2_00406850
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0046A8F4 push 0046A91Ah; ret 0_2_0046A912
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0046A958 push 0046A984h; ret 0_2_0046A97C
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx 0_2_0041A97A
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004269BC push 004269E8h; ret 0_2_004269E0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00428A50 push 00428A7Ch; ret 0_2_00428A74
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00444A7C push 00444AA8h; ret 0_2_00444AA0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00428A04 push 00428A45h; ret 0_2_00428A3D
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00441B28 push 00441BB5h; ret 0_2_00441BAD
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C020 push 0040C098h; ret 0_2_0040C090
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00430030 push 0043005Ch; ret 0_2_00430054
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C09A push 0040C10Bh; ret 0_2_0040C103
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C09C push 0040C10Bh; ret 0_2_0040C103
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C17A push 0040C1A8h; ret 0_2_0040C1A0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C17C push 0040C1A8h; ret 0_2_0040C1A0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00430198 push 004301C4h; ret 0_2_004301BC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004101B0 push 00410211h; ret 0_2_00410209
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00410214 push 00410415h; ret 0_2_0041040D
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040C2A4 push eax; retn 0040h 0_2_0040C2B9
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004583D8 push 00458404h; ret 0_2_004583FC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00410418 push 0041055Ch; ret 0_2_00410554
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00426524 push 004265F4h; ret 0_2_004265EC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00410530 push 0041055Ch; ret 0_2_00410554
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0046A5E4 push ecx; mov dword ptr [esp], ecx 0_2_0046A5E8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040659E push 004065F1h; ret 0_2_004065E9
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004065A0 push 004065F1h; ret 0_2_004065E9
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0041C6E4 push ecx; mov dword ptr [esp], edx 0_2_0041C6E9
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00406770 push 0040679Ch; ret 0_2_00406794
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00426704 push 00426730h; ret 0_2_00426728
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004667D8 push 00466804h; ret 0_2_004667FC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004627D8 push ecx; mov dword ptr [esp], ecx 0_2_004627DD
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040682C push 00406858h; ret 0_2_00406850
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0046A8F4 push 0046A91Ah; ret 0_2_0046A912
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0046A958 push 0046A984h; ret 0_2_0046A97C
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0041A978 push ecx; mov dword ptr [esp], edx 0_2_0041A97A
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004269BC push 004269E8h; ret 0_2_004269E0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00428A50 push 00428A7Ch; ret 0_2_00428A74
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00444A7C push 00444AA8h; ret 0_2_00444AA0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00428A04 push 00428A45h; ret 0_2_00428A3D

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File created: C:\Users\user\AppData\Roaming\Windows Update.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Deletes itself after installation
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File deleted: c:\users\user\desktop\prueba de pago.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe File deleted: c:\users\user\desktop\prueba de pago.exe Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_00455880
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00456024
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_0043C658
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_00452974
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_0043CF3C
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00427418
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0043BDB0 IsIconic,GetCapture, 0_2_0043BDB0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00455F74
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_00455880
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00456024
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_0043C658
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_00452974
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_0043CF3C
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00427418
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0043BDB0 IsIconic,GetCapture, 0_2_0043BDB0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00455F74
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00455880 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 2_2_00455880
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00456024 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 2_2_00456024
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0043C658 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 2_2_0043C658
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00452974 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 2_2_00452974
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0043CF3C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 2_2_0043CF3C
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00427418 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_00427418
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_0043BDB0 IsIconic,GetCapture, 2_2_0043BDB0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00455F74 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 2_2_00455F74
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_004414DC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_004414DC
Stores large binary data to the registry
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00430D08 0_2_00430D08
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00430D08 0_2_00430D08
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00430D08 2_2_00430D08
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_00454E54
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_00454E54
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 2_2_00454E54
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Prueba de pago.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Prueba de pago.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Thread delayed: delay time: 922337203685477
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00430D08 0_2_00430D08
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00430D08 2_2_00430D08
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00430D08 0_2_00430D08
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Prueba de pago.exe TID: 4688 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe TID: 3352 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5468 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 676 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 580 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1632 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -99297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -99156s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -97953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -97859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -97750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -96750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -96609s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -96453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6300 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6416 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6412 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6580 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6972 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6976 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6984 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99797s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98953s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98859s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98547s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\Desktop\Prueba de pago.exe TID: 4688 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe TID: 3352 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5468 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 676 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 580 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1632 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -99890s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -99297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -99156s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -98109s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -97953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -97859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -97750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -96750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -96609s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5708 Thread sleep time: -96453s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6300 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6416 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6412 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6580 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6972 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6976 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6984 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99797s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -99094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98953s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98859s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98750s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98656s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98547s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98203s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98094s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -98000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7004 Thread sleep time: -97750s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File opened: PhysicalDrive0 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004089B8 FindFirstFileA,GetLastError, 0_2_004089B8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405AE8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004089B8 FindFirstFileA,GetLastError, 0_2_004089B8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405AE8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_004089B8 FindFirstFileA,GetLastError, 2_2_004089B8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 2_2_00405AE8 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 2_2_00405AE8
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00421010 GetSystemInfo, 0_2_00421010
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00421010 GetSystemInfo, 0_2_00421010
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oyF
Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\oyF
Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oy
Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Prueba de pago.exe, 00000001.00000002.232076308.00000000006DE000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Windows Update.exe, 00000003.00000002.270963619.0000000006750000.00000002.00000001.sdmp, Windows Update.exe, 0000000F.00000002.309071571.0000000006D30000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Prueba de pago.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process queried: DebugFlags
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugFlags
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort
Source: C:\Users\user\Desktop\Prueba de pago.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process queried: DebugFlags
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugFlags
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0048B6F3
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0048B6F3
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_004414DC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_004414DC SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode, 0_2_004414DC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h] 1_2_0048F412
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h] 1_2_0048F4D0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048F412 mov eax, dword ptr fs:[00000030h] 1_2_0048F412
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048F4D0 mov eax, dword ptr fs:[00000030h] 1_2_0048F4D0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_0048F412 mov eax, dword ptr fs:[00000030h] 3_2_0048F412
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_0048F4D0 mov eax, dword ptr fs:[00000030h] 3_2_0048F4D0
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0048B6F3
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048A746 SetUnhandledExceptionFilter, 1_2_0048A746
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0048BBB5
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0048DD7F
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0048B6F3
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048A746 SetUnhandledExceptionFilter, 1_2_0048A746
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0048BBB5
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 1_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0048DD7F
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_0048B6F3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0048B6F3
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_0048A746 SetUnhandledExceptionFilter, 3_2_0048A746
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_0048DD7F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0048DD7F
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: 3_2_0048BBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0048BBB5
Source: C:\Users\user\Desktop\Prueba de pago.exe Memory protected: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.Prueba de pago.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.Windows Update.exe.2820000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.2.Windows Update.exe.2330000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.2.Windows Update.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.2.Windows Update.exe.22a0000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 0.2.Prueba de pago.exe.26e0000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.Prueba de pago.exe.2350000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.Prueba de pago.exe.2460000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 1.2.Prueba de pago.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 1.2.Prueba de pago.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 2.2.Windows Update.exe.2820000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 2.2.Windows Update.exe.2820000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 3.2.Windows Update.exe.2330000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.2.Windows Update.exe.2330000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 3.2.Windows Update.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.2.Windows Update.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 3.2.Windows Update.exe.22a0000.2.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 3.2.Windows Update.exe.22a0000.2.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 11.2.WindowsUpdate.exe.2740000.3.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 13.2.WindowsUpdate.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Prueba de pago.exe Section loaded: unknown target: C:\Users\user\Desktop\Prueba de pago.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: unknown target: C:\Users\user\AppData\Roaming\Windows Update.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: unknown target: C:\Users\user\AppData\Roaming\WindowsUpdate.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: unknown target: C:\Users\user\AppData\Roaming\Windows Update.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Prueba de pago.exe Section loaded: unknown target: C:\Users\user\Desktop\Prueba de pago.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: unknown target: C:\Users\user\AppData\Roaming\Windows Update.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: unknown target: C:\Users\user\AppData\Roaming\WindowsUpdate.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section loaded: unknown target: C:\Users\user\AppData\Roaming\Windows Update.exe protection: execute and read and write
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Prueba de pago.exe Process created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe' Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376
Source: C:\Users\user\Desktop\Prueba de pago.exe Process created: C:\Users\user\Desktop\Prueba de pago.exe 'C:\Users\user\Desktop\Prueba de pago.exe' Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2384 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Users\user\AppData\Roaming\Windows Update.exe 'C:\Users\user\AppData\Roaming\Windows Update.exe'
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2376

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405CA0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040AD50
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetLocaleInfoA, 0_2_004099D4
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetLocaleInfoA, 0_2_00409A20
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405DAC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405CA0
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040AD50
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetLocaleInfoA, 0_2_004099D4
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetLocaleInfoA, 0_2_00409A20
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405DAC
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: GetLocaleInfoA, 1_2_0048EA4A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 2_2_00405CA0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetLocaleInfoA,GetACP, 2_2_0040AD50
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetLocaleInfoA, 2_2_004099D4
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetLocaleInfoA, 2_2_00409A20
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 2_2_00405DAC
Source: C:\Users\user\AppData\Roaming\Windows Update.exe Code function: GetLocaleInfoA, 3_2_0048EA4A
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040697A GetSystemTime, 0_2_0040697A
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_0040697A GetSystemTime, 0_2_0040697A
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00441B28 GetVersion, 0_2_00441B28
Source: C:\Users\user\Desktop\Prueba de pago.exe Code function: 0_2_00441B28 GetVersion, 0_2_00441B28
Source: C:\Users\user\Desktop\Prueba de pago.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Prueba de pago.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Prueba de pago.exe, 00000000.00000002.214877114.000000000019D000.00000004.00000010.sdmp, Windows Update.exe, 00000002.00000002.235078035.000000000019D000.00000004.00000010.sdmp, WindowsUpdate.exe, 0000000B.00000002.274403996.000000000019D000.00000004.00000010.sdmp, Windows Update.exe, 0000000E.00000002.284532743.000000000019D000.00000004.00000010.sdmp Binary or memory string: avp.exe
Source: Windows Update.exe, 00000003.00000002.271219701.0000000006C10000.00000004.00000001.sdmp Binary or memory string: r\MsMpeng.exe
Source: Windows Update.exe, 00000003.00000003.245352760.0000000000743000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Prueba de pago.exe, 00000000.00000002.214877114.000000000019D000.00000004.00000010.sdmp, Windows Update.exe, 00000002.00000002.235078035.000000000019D000.00000004.00000010.sdmp, WindowsUpdate.exe, 0000000B.00000002.274403996.000000000019D000.00000004.00000010.sdmp, Windows Update.exe, 0000000E.00000002.284532743.000000000019D000.00000004.00000010.sdmp Binary or memory string: avp.exe
Source: Windows Update.exe, 00000003.00000002.271219701.0000000006C10000.00000004.00000001.sdmp Binary or memory string: r\MsMpeng.exe
Source: Windows Update.exe, 00000003.00000003.245352760.0000000000743000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.305679255.0000000002E2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED
Source: Yara match File source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.305848989.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.269629299.00000000039E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.252405021.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6120, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY
Source: Yara match File source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.257490095.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.305848989.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.269629299.00000000039E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 3484, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY
Source: Yara match File source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Prueba de pago.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: Prueba de pago.exe String found in binary or memory: HawkEyeKeylogger
Source: Prueba de pago.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Prueba de pago.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp String found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp String found in binary or memory: ar#"HawkEye_Keylogger_Stealer_Records_
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000000D.00000002.290668635.0000000002A11000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp String found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9ar
Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9ar@~WA]sOS}SOZYQQSD666666666666666666666666666666666666666666666666|9ar@
Source: WERF1FE.tmp.mdmp.9.dr String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WERF1FE.tmp.mdmp.9.dr String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WERF1FE.tmp.mdmp.9.dr String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WERF1FE.tmp.mdmp.9.dr String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Prueba de pago.exe, 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Prueba de pago.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: Prueba de pago.exe String found in binary or memory: HawkEyeKeylogger
Source: Prueba de pago.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Prueba de pago.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Prueba de pago.exe, 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp String found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp String found in binary or memory: ar#"HawkEye_Keylogger_Stealer_Records_
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000000D.00000002.290668635.0000000002A11000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp String found in binary or memory: ar'&HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Windows Update.exe, 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9ar
Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe, 0000000F.00000002.305102053.0000000002A33000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger|9ar@~WA]sOS}SOZYQQSD666666666666666666666666666666666666666666666666|9ar@
Source: WERF1FE.tmp.mdmp.9.dr String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WERF1FE.tmp.mdmp.9.dr String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WERF1FE.tmp.mdmp.9.dr String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WERF1FE.tmp.mdmp.9.dr String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Yara detected HawkEye Keylogger
Source: Yara match File source: 0000000F.00000002.305646126.0000000002E26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281027497.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303592164.0000000002302000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302581214.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266071751.00000000022A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232284814.0000000002352000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215547746.00000000026E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.292112517.0000000002702000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303352806.0000000000962000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.236281439.00000000028B7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000001.274246556.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.302688394.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.214625496.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.236190946.0000000002822000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266005625.0000000002210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.284532297.0000000000497000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215631159.0000000002777000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265501034.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232222302.00000000022C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281819026.00000000022B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.292592274.0000000002797000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281120249.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.275686930.00000000027D7000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266149463.0000000002332000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281367448.00000000006B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.266901685.00000000029E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000001.234951052.00000000004D2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.305679255.0000000002E2C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.303244261.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.231765870.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232402101.0000000002462000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.265430290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.275578797.0000000002742000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.281698514.0000000002202000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.231841710.0000000000497000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 5080, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6392, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6456, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5388, type: MEMORY
Source: Yara match File source: Process Memory Space: Prueba de pago.exe PID: 2168, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6328, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 5672, type: MEMORY
Source: Yara match File source: Process Memory Space: Windows Update.exe PID: 6476, type: MEMORY
Source: Yara match File source: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1FE.tmp.mdmp, type: DROPPED
Source: Yara match File source: 1.2.Prueba de pago.exe.2460000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.2300000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2330000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.1.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.27d0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Prueba de pago.exe.2690000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.960000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.8d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.22a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Windows Update.exe.2820000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Windows Update.exe.2210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.2740000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.22b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WindowsUpdate.exe.26f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.6b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.22c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.Windows Update.exe.2700000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.22c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Prueba de pago.exe.26e0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.2350000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.WindowsUpdate.exe.2200000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.Windows Update.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Prueba de pago.exe.400000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 319596 Sample: Prueba de pago.exe Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Multi AV Scanner detection for dropped file 2->67 69 14 other signatures 2->69 9 Prueba de pago.exe 2->9         started        12 WindowsUpdate.exe 2->12         started        process3 signatures4 73 Maps a DLL or memory area into another process 9->73 14 Prueba de pago.exe 9 9->14         started        75 Multi AV Scanner detection for dropped file 12->75 77 Detected unpacking (changes PE section rights) 12->77 79 Detected unpacking (overwrites its own PE header) 12->79 81 Machine Learning detection for dropped file 12->81 17 WindowsUpdate.exe 12->17         started        process5 file6 49 C:\Users\user\...\Prueba de pago.exe.log, ASCII 14->49 dropped 19 Windows Update.exe 14->19         started        51 C:\Users\user\AppData\...\Windows Update.exe, PE32 17->51 dropped 53 C:\...\Windows Update.exe:Zone.Identifier, ASCII 17->53 dropped 22 Windows Update.exe 17->22         started        process7 signatures8 71 Maps a DLL or memory area into another process 19->71 24 Windows Update.exe 16 8 19->24         started        29 Windows Update.exe 22->29         started        process9 dnsIp10 55 49.124.12.0.in-addr.arpa 24->55 57 smtp.jif-asesores.com 217.76.146.62, 49728, 49741, 587 ONEANDONE-ASBrauerstrasse48DE Spain 24->57 61 2 other IPs or domains 24->61 45 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 24->45 dropped 47 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 24->47 dropped 83 Changes the view of files in windows explorer (hidden files and folders) 24->83 85 Deletes itself after installation 24->85 87 Writes to foreign memory regions 24->87 91 3 other signatures 24->91 31 vbc.exe 1 24->31         started        34 vbc.exe 13 24->34         started        36 WerFault.exe 9 24->36         started        39 dw20.exe 22 6 24->39         started        59 49.124.12.0.in-addr.arpa 29->59 89 Installs a global keyboard hook 29->89 41 dw20.exe 29->41         started        file11 signatures12 process13 file14 93 Tries to steal Instant Messenger accounts or passwords 31->93 95 Tries to steal Mail credentials (via file access) 31->95 97 Tries to harvest and steal browser information (history, passwords, etc) 34->97 43 C:\ProgramData\Microsoft\...\WERF1FE.tmp.mdmp, Mini 36->43 dropped signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.155.36
unknown United States
13335 CLOUDFLARENETUS false
217.76.146.62
unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.155.36 true
smtp.jif-asesores.com 217.76.146.62 true
49.124.12.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://whatismyipaddress.com/ false
    high