Analysis Report Payment Advice 80642111.exe

Overview

General Information

Sample Name: Payment Advice 80642111.exe
Analysis ID: 357080
MD5: 85bd30d4211b1dff2fe6847502341831
SHA1: 74fdf25bef9f31e311b21d8ca572f834d03134c0
SHA256: 6f2af9503a84bf2c99e0bbf735b953a7551f7ff78f87c9ad84e8aff091f2ae10
Tags: exeHawkEye
Infos:

Most interesting Screenshot:

Detection

HawkEye MailPassView
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected HawkEye Keylogger
Yara detected MailPassView
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Beds Obfuscator
Yara detected WebBrowserPassView password recovery tool
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: Payment Advice 80642111.exe.6428.0.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Metadefender: Detection: 18% Perma Link
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe ReversingLabs: Detection: 67%
Multi AV Scanner detection for submitted file
Source: Payment Advice 80642111.exe Virustotal: Detection: 61% Perma Link
Source: Payment Advice 80642111.exe Metadefender: Detection: 18% Perma Link
Source: Payment Advice 80642111.exe ReversingLabs: Detection: 67%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Payment Advice 80642111.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 23.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 27.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 27.2.WindowsUpdate.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 4.2.Payment Advice 80642111.exe.296f4cc.5.unpack Avira: Label: TR/Inject.vcoldi

Compliance:

barindex
Uses 32bit PE files
Source: Payment Advice 80642111.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: Payment Advice 80642111.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 00000011.00000002.321325415.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.330031093.0000000004D10000.00000002.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.280032093.00000000034B6000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
Source: Binary string: RunPE.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232184557.00000000029FF000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.301909823.00000000027F1000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.317588964.0000000002FA1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.280247673.00000000034AD000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.280247673.00000000034AD000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.507838378.0000000007CD0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp
Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507957989.0000000007F7B000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.280233741.00000000034A7000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.282337296.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
Source: Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507957989.0000000007F7B000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283236826.0000000003939000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001D.00000002.343283889.0000000000400000.00000040.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.282337296.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 00000011.00000002.321325415.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.330031093.0000000004D10000.00000002.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0 source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.280226509.00000000034A1000.00000004.00000001.sdmp

Spreading:

barindex
May infect USB drives
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp Binary or memory string: [autorun]

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4x nop then jmp 04FBA630h 4_2_04FBA568
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4x nop then jmp 04FBA630h 4_2_04FBA520
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_04FB9EF5
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_04FB9A2D
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 4_2_04FB2B75
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then jmp 0523A630h 23_2_0523A568
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then jmp 0523A630h 23_2_0523A559
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 23_2_05239EF5
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 23_2_05232B75
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 23_2_05239A2D
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 23_2_05DBFE8B
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 23_2_08914469
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 23_2_089145FE

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49726 -> 31.209.137.12:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 31.209.137.12 31.209.137.12
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49726 -> 31.209.137.12:587
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe, 0000001C.00000003.346102030.0000000000A8E000.00000004.00000001.sdmp String found in binary or memory: f?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.facebook.com (Facebook)
Source: vbc.exe, 0000001C.00000003.346102030.0000000000A8E000.00000004.00000001.sdmp String found in binary or memory: f?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0https://www.google.com/chrome/thank-you.htmlhttps://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/logine%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehp equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: 10.76.9.0.in-addr.arpa
Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: http://blog.naver.com/cubemit314Ghttp://projectofsonagi.tistory.com/
Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: WindowsUpdate.exe, 00000017.00000002.507092380.0000000007036000.00000004.00000001.sdmp String found in binary or memory: http://cps.root
Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: WindowsUpdate.exe, 00000017.00000002.507092380.0000000007036000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.cr:
Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: WerFault.exe, 00000012.00000003.320829363.0000000000A33000.00000004.00000001.sdmp String found in binary or memory: http://crl.micro
Source: WindowsUpdate.exe, 00000017.00000002.507254853.0000000007097000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft
Source: Payment Advice 80642111.exe, 00000004.00000003.235761615.0000000005AFD000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: WindowsUpdate.exe, 0000001B.00000002.327611606.00000000033F1000.00000004.00000001.sdmp String found in binary or memory: http://foo.com/foo
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: WindowsUpdate.exe, 00000017.00000002.507092380.0000000007036000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0f
Source: WindowsUpdate.exe, 00000017.00000003.366717151.00000000035F4000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.327611606.00000000033F1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment Advice 80642111.exe, 00000004.00000003.238762251.0000000005B2C000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment Advice 80642111.exe, 00000004.00000003.240153326.0000000005B2E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment Advice 80642111.exe, 00000004.00000003.240153326.0000000005B2E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/B
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Payment Advice 80642111.exe, 00000004.00000003.241248337.0000000005B2E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html8G
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment Advice 80642111.exe, 00000004.00000003.242522578.0000000005B2E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersN
Source: Payment Advice 80642111.exe, 00000004.00000003.240736289.0000000005B2E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersY
Source: Payment Advice 80642111.exe, 00000004.00000003.242522578.0000000005B2E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersb
Source: Payment Advice 80642111.exe, 00000004.00000003.242433196.0000000005B2E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersx
Source: Payment Advice 80642111.exe, 00000004.00000002.287976818.0000000005AFB000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: Payment Advice 80642111.exe, 00000004.00000002.287976818.0000000005AFB000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coml1
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Payment Advice 80642111.exe, 00000004.00000003.236783840.0000000005B1E000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment Advice 80642111.exe, 00000004.00000003.236653540.0000000005B1E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnF
Source: Payment Advice 80642111.exe, 00000004.00000003.237023942.0000000005AFC000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnicryz
Source: Payment Advice 80642111.exe, 00000004.00000003.237023942.0000000005AFC000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnt;
Source: Payment Advice 80642111.exe, 00000004.00000003.237023942.0000000005AFC000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cny
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment Advice 80642111.exe, 00000004.00000003.243159760.0000000005B21000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment Advice 80642111.exe, 00000004.00000003.243159760.0000000005B21000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmh
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//(
Source: Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Jy
Source: Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Ky
Source: Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Ty
Source: Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/fr-c
Source: Payment Advice 80642111.exe, 00000004.00000003.238336955.0000000005AF5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/gy
Source: Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Payment Advice 80642111.exe, 00000004.00000003.238665028.0000000005AF9000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/?
Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Ty
Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/gy
Source: Payment Advice 80642111.exe, 00000004.00000003.237769137.0000000005AF4000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/yy
Source: Payment Advice 80642111.exe, 00000004.00000003.238081922.0000000005AFA000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/z
Source: vbc.exe, 0000001C.00000002.346625388.0000000000608000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: vbc.exe, 0000001C.00000002.346625388.0000000000608000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
Source: vbc.exe, 0000001D.00000002.343283889.0000000000400000.00000040.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Payment Advice 80642111.exe, 00000004.00000003.237013015.0000000005B1E000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comN
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment Advice 80642111.exe, 00000004.00000002.288048178.0000000005BE0000.00000002.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.506391942.0000000005EE0000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/checksync.p
Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=(
Source: vbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: vbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.phphttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&
Source: vbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1https://c
Source: vbc.exe, 0000001C.00000003.346102030.0000000000A8E000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.google.com/chrome/thank-yo
Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/TT
Source: vbc.exe, 0000001C.00000003.345554125.000000000092C000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: vbc.exe, 0000001C.00000002.346657064.000000000061D000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6228, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6992, type: MEMORY
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: HookKeyboard
Creates a DirectInput object (often for capturing keystrokes)
Source: Payment Advice 80642111.exe, 00000000.00000002.231772634.0000000000E98000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment Advice 80642111.exe
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_089124E0 NtWriteVirtualMemory, 23_2_089124E0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_08913160 NtSetContextThread, 23_2_08913160
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_08911B58 NtResumeThread, 23_2_08911B58
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_089124D8 NtWriteVirtualMemory, 23_2_089124D8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_089131F7 NtSetContextThread, 23_2_089131F7
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_08913158 NtSetContextThread, 23_2_08913158
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_08911B52 NtResumeThread, 23_2_08911B52
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 0_2_01238337 0_2_01238337
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 0_2_01239AB8 0_2_01239AB8
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 0_2_01236560 0_2_01236560
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 0_2_01236570 0_2_01236570
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 0_2_01239AA8 0_2_01239AA8
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4_2_027EB29C 4_2_027EB29C
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4_2_027EB24B 4_2_027EB24B
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4_2_027EB290 4_2_027EB290
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4_2_027E99D0 4_2_027E99D0
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4_2_027EDFD0 4_2_027EDFD0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_00D69AB8 21_2_00D69AB8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_00D66570 21_2_00D66570
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_00D66560 21_2_00D66560
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_00D69AB3 21_2_00D69AB3
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_02B3B29C 23_2_02B3B29C
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_02B3C310 23_2_02B3C310
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_02B3B290 23_2_02B3B290
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_02B3B1F2 23_2_02B3B1F2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_02B399D0 23_2_02B399D0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_02B3DFD0 23_2_02B3DFD0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_05DBB4E0 23_2_05DBB4E0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_05DBB198 23_2_05DBB198
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_05DBBDB0 23_2_05DBBDB0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_05DBEEC8 23_2_05DBEEC8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_05DB0007 23_2_05DB0007
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_08912728 23_2_08912728
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 176
Sample file is different than original file name gathered from version info
Source: Payment Advice 80642111.exe Binary or memory string: OriginalFilename vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCaptIt.dll. vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000000.00000002.232184557.00000000029FF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPE.dll" vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000000.00000002.231772634.0000000000E98000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe Binary or memory string: OriginalFilename vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe Binary or memory string: OriginalFilename vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe Binary or memory string: OriginalFilename vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000004.00000002.283236826.0000000003939000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe, 00000004.00000002.275954906.0000000000482000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs Payment Advice 80642111.exe
Source: Payment Advice 80642111.exe Binary or memory string: OriginalFilenameScreenCapturer.exe> vs Payment Advice 80642111.exe
Uses 32bit PE files
Source: Payment Advice 80642111.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000004.00000002.293943590.0000000008500000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.294011237.0000000008650000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000002.507838378.0000000007CD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000017.00000002.507820706.0000000007CC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Advice 80642111.exe.8500000.11.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WindowsUpdate.exe.7cd0000.12.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.WindowsUpdate.exe.7cc0000.11.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Advice 80642111.exe.2972ff0.7.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Advice 80642111.exe.296f4cc.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Payment Advice 80642111.exe.8650000.12.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: Payment Advice 80642111.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WindowsUpdate.exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Payment Advice 80642111.exe, CaptureRectangle.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.Payment Advice 80642111.exe.6d0000.0.unpack, CaptureRectangle.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.Payment Advice 80642111.exe.6d0000.0.unpack, CaptureRectangle.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.Payment Advice 80642111.exe.1d0000.0.unpack, CaptureRectangle.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.Payment Advice 80642111.exe.1d0000.0.unpack, CaptureRectangle.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.Payment Advice 80642111.exe.2b0000.0.unpack, CaptureRectangle.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs Base64 encoded string: '+AGFvcSQ7sospLt87BtSyu5CCeD0AahxtcUNqlQg7HubMvbKEoS3pVe0+oqcwjUD', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Base64 encoded string: '+AGFvcSQ7sospLt87BtSyu5CCeD0AahxtcUNqlQg7HubMvbKEoS3pVe0+oqcwjUD', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@25/17@3/3
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice 80642111.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7124
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7116
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9CA.tmp Jump to behavior
Source: Payment Advice 80642111.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: Payment Advice 80642111.exe Virustotal: Detection: 61%
Source: Payment Advice 80642111.exe Metadefender: Detection: 18%
Source: Payment Advice 80642111.exe ReversingLabs: Detection: 67%
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe File read: C:\Users\user\Desktop\Payment Advice 80642111.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe 'C:\Users\user\Desktop\Payment Advice 80642111.exe'
Source: unknown Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
Source: unknown Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
Source: unknown Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
Source: unknown Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 176
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7124 -s 176
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe 'C:\Users\user\AppData\Roaming\WindowsUpdate.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: Payment Advice 80642111.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Payment Advice 80642111.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdb source: WerFault.exe, 00000011.00000002.321325415.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.330031093.0000000004D10000.00000002.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.280032093.00000000034B6000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
Source: Binary string: RunPE.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232184557.00000000029FF000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.301909823.00000000027F1000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.317588964.0000000002FA1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.280247673.00000000034AD000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.280247673.00000000034AD000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.507838378.0000000007CD0000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp
Source: Binary string: symbols\dll\System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507957989.0000000007F7B000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.280233741.00000000034A7000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000011.00000003.282337296.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
Source: Binary string: jPC:\Windows\System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507957989.0000000007F7B000.00000004.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283236826.0000000003939000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001D.00000002.343283889.0000000000400000.00000040.00000001.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, Payment Advice 80642111.exe, 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, WindowsUpdate.exe, 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, vbc.exe, 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.282337296.0000000005551000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.284313829.0000000004C21000.00000004.00000001.sdmp
Source: Binary string: System.pdb source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vbc.pdbpUNzUN source: WerFault.exe, 00000011.00000002.321325415.0000000005640000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.330031093.0000000004D10000.00000002.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdb0 source: WindowsUpdate.exe, 00000017.00000002.507205242.0000000007078000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000011.00000003.280226509.00000000034A1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0xA4622821 [Thu May 24 02:17:05 2057 UTC]
Yara detected Beds Obfuscator
Source: Yara match File source: 00000015.00000002.309460071.0000000004DF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.327982502.0000000005620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.235200966.00000000050F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
Source: Yara match File source: 26.2.WindowsUpdate.exe.405b740.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.5620000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.4df0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.38ab740.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3b3d970.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.50f0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.4df0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.5620000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3a8b740.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.50f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.395d970.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.410d970.6.unpack, type: UNPACKEDPE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 0_2_01238A10 push dword ptr [ebp+5D906CA2h]; ret 0_2_01238A33
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4_2_027EE672 push esp; ret 4_2_027EE679
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4_2_04FBAC12 pushfd ; ret 4_2_04FBAC21
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Code function: 4_2_04FBFC02 push E801005Eh; ret 4_2_04FBFC09
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_00D689C1 pushfd ; retf 0004h 21_2_00D689C2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_00D689E9 pushfd ; retf 0004h 21_2_00D689EA
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_00D68A10 pushfd ; retf 0004h 21_2_00D68A12
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_00D68A39 pushfd ; retf 0004h 21_2_00D68A3A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 21_2_00D679C1 push es; retf 0004h 21_2_00D679C2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_02B3E672 push esp; ret 23_2_02B3E679
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_0523FC02 push E801005Eh; ret 23_2_0523FC09
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_0523AC12 pushfd ; ret 23_2_0523AC21
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_05234A40 push 000000C3h; ret 23_2_05234A7A
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_0891A162 push 840760CBh; retf 23_2_0891A169
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Code function: 23_2_0891A712 pushad ; iretd 23_2_0891A719
Source: initial sample Static PE information: section name: .text entropy: 7.9941732776
Source: initial sample Static PE information: section name: .text entropy: 7.9941732776

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Windows Update Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected Beds Obfuscator
Source: Yara match File source: 00000015.00000002.309460071.0000000004DF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.327982502.0000000005620000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.235200966.00000000050F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
Source: Yara match File source: 26.2.WindowsUpdate.exe.405b740.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.5620000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.4df0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.38ab740.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3b3d970.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.50f0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.4df0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.5620000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3a8b740.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.50f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.395d970.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.410d970.6.unpack, type: UNPACKEDPE
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window / User API: threadDelayed 1468 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Window / User API: threadDelayed 4942 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe TID: 6460 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe TID: 6560 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe TID: 6928 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe TID: 6932 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5580 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 2892 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 240 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 4948 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 644 Thread sleep time: -41200s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5656 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -99859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -99750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -99641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -99313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -99094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -98969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -98859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -98750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -98641s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -98531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -98422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -98313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -98156s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -98047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -97906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -97797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -97688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -97547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -97406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -97297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -97188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -97047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -96906s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -96797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -96688s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -96547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -96422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -96313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7060 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 1004 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5540 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6824 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Last function: Thread delayed
Source: WerFault.exe, 00000011.00000002.320639318.0000000005270000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.331226131.0000000004EA0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.330745607.0000000006560000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000011.00000003.316948995.000000000347F000.00000004.00000001.sdmp, WerFault.exe, 00000012.00000003.320863428.0000000000A42000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WindowsUpdate.exe, 0000001B.00000002.325573849.00000000017A2000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WerFault.exe, 00000011.00000002.320639318.0000000005270000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.331226131.0000000004EA0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.330745607.0000000006560000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000011.00000002.320639318.0000000005270000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.331226131.0000000004EA0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.330745607.0000000006560000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000011.00000003.315342519.00000000034A1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW }H
Source: WerFault.exe, 00000012.00000003.318162252.0000000000A42000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <arg nm="p4" val="StackHash_2720" />
Source: WerFault.exe, 00000011.00000003.312924116.00000000034B4000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WerFault.exe, 00000011.00000002.320639318.0000000005270000.00000002.00000001.sdmp, WerFault.exe, 00000012.00000002.331226131.0000000004EA0000.00000002.00000001.sdmp, WindowsUpdate.exe, 0000001B.00000002.330745607.0000000006560000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 23.2.WindowsUpdate.exe.400000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Users\user\Desktop\Payment Advice 80642111.exe C:\Users\user\Desktop\Payment Advice 80642111.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Source: WindowsUpdate.exe, 00000017.00000002.494252563.0000000001610000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: WindowsUpdate.exe, 00000017.00000002.494252563.0000000001610000.00000002.00000001.sdmp Binary or memory string: Progman
Source: WindowsUpdate.exe, 00000017.00000002.494252563.0000000001610000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: WindowsUpdate.exe, 00000017.00000002.494252563.0000000001610000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: WindowsUpdate.exe, 00000017.00000002.494252563.0000000001610000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Users\user\Desktop\Payment Advice 80642111.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Users\user\Desktop\Payment Advice 80642111.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\Payment Advice 80642111.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6228, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6992, type: MEMORY
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 00000004.00000002.283236826.0000000003939000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.343283889.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.503465573.0000000003D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6876, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6228, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6992, type: MEMORY
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.45fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.3939930.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.45fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.3939930.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.3d29930.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.45fa72.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.3d29930.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 0000001C.00000002.346347222.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.283540022.00000000039A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.503528098.0000000003D95000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6228, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6992, type: MEMORY
Source: Yara match File source: Process Memory Space: vbc.exe PID: 6452, type: MEMORY
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.409c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.409c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.3d95e38.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.3d95e38.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.409c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Payment Advice 80642111.exe, 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp String found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
Source: Payment Advice 80642111.exe, 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp String found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: Payment Advice 80642111.exe, 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp String found in binary or memory: l&HawkEye_Keylogger_Execution_Confirmed_
Source: WindowsUpdate.exe, 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp String found in binary or memory: l"HawkEye_Keylogger_Stealer_Records_
Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: WindowsUpdate.exe, 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000004.00000002.278382516.0000000002931000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.321590143.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.303042650.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.495351637.0000000002D21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.275693727.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.232301416.00000000039D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.488882188.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.318746225.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6428, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 5480, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice 80642111.exe PID: 6508, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 804, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6228, type: MEMORY
Source: Yara match File source: Process Memory Space: WindowsUpdate.exe PID: 6992, type: MEMORY
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.2d4b12c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.45fa72.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.408208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.405b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.408208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3bf5d98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.408208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3b3d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.38ab740.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.295b39c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.410d970.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice 80642111.exe.3a8b740.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.395d970.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.409c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Payment Advice 80642111.exe.45fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.WindowsUpdate.exe.409c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.WindowsUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.WindowsUpdate.exe.41c5d98.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.WindowsUpdate.exe.3a15d98.4.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357080 Sample: Payment Advice 80642111.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 11 other signatures 2->74 8 WindowsUpdate.exe 3 2->8         started        11 Payment Advice 80642111.exe 3 2->11         started        14 WindowsUpdate.exe 2->14         started        process3 file4 76 Multi AV Scanner detection for dropped file 8->76 78 Machine Learning detection for dropped file 8->78 16 WindowsUpdate.exe 4 8->16         started        48 C:\Users\...\Payment Advice 80642111.exe.log, ASCII 11->48 dropped 20 Payment Advice 80642111.exe 1 6 11->20         started        23 Payment Advice 80642111.exe 11->23         started        25 Payment Advice 80642111.exe 11->25         started        27 Payment Advice 80642111.exe 11->27         started        29 WindowsUpdate.exe 14->29         started        signatures5 process6 dnsIp7 50 smtp.vivaldi.net 31.209.137.12, 49726, 587 HRINGDU-ASIS Iceland 16->50 52 10.76.9.0.in-addr.arpa 16->52 60 Writes to foreign memory regions 16->60 62 Sample uses process hollowing technique 16->62 64 Injects a PE file into a foreign processes 16->64 31 vbc.exe 16->31         started        34 vbc.exe 16->34         started        54 192.168.2.1 unknown unknown 20->54 56 10.76.9.0.in-addr.arpa 20->56 44 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 20->44 dropped 46 C:\...\WindowsUpdate.exe:Zone.Identifier, ASCII 20->46 dropped 66 Changes the view of files in windows explorer (hidden files and folders) 20->66 36 vbc.exe 20->36         started        38 vbc.exe 20->38         started        58 127.0.0.1 unknown unknown 29->58 file8 signatures9 process10 signatures11 80 Tries to steal Instant Messenger accounts or passwords 31->80 82 Tries to steal Mail credentials (via file access) 31->82 84 Tries to harvest and steal browser information (history, passwords, etc) 34->84 40 WerFault.exe 6 9 36->40         started        42 WerFault.exe 19 9 38->42         started        process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
31.209.137.12
 unknown Iceland
51896 HRINGDU-ASIS false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
smtp.vivaldi.net 31.209.137.12 true
10.76.9.0.in-addr.arpa unknown unknown