Windows Analysis Report
Notificaci#U00f3n de pago.exe

Overview

General Information

Sample Name: Notificaci#U00f3n de pago.exe
Analysis ID: 626150
MD5: 297e8b7f26a2eb1af366cac0202eca9a
SHA1: 4b3e36dcd7ea9785f93e43699e1224ad30626148
SHA256: 441ba10d2078c45be3d266523f77b59a1478f61ce09f2097ccc276d534c35855
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.hkqhdq.com/d6fp/"], "decoy": ["cwejman.art", "chandlerfeed.site", "team-ctctitleco.com", "yennyalfonsotorres84.com", "letseatdonuts.com", "runicarcanum.com", "info-center.xyz", "stemcanada.net", "granerde.com", "pixelatedkittys.com", "selfservicerepait.com", "lasvegastechman.com", "massage-rino.com", "bfederation.com", "kjy9.com", "homeiexpress.com", "hayatiorhan.com", "89739134.com", "kristin-feireiss-80.com", "zfp2.xyz", "peq2ulps.com", "redgreenbandits.com", "doblehuella.com", "521xiao.com", "freedomadventurescharters.com", "424259842.xyz", "peachfsg.com", "marketery.net", "dubhmor-dg.com", "sustainabilitymantra.xyz", "obivka.site", "yoursjoysled.com", "neurovirtualusa.com", "938323373.com", "seabornecap.com", "rjxingfu.com", "vacationsimplified.com", "elramony.com", "craftivitycrew.com", "cryptoheritageclub.com", "tcr8.fund", "gloumarc.com", "marry-me-today.com", "screator.life", "tokusou-clean.com", "sagesse.agency", "borilius.com", "www-saber.com", "bondjetfuel.com", "sedadbir.com", "interparking-60years.com", "mdartwork.com", "materialy.pro", "theguiriguide.com", "islandacoustical.com", "einfachmalgut.com", "nonstrappedmedia.club", "librevillegabon.com", "wasatchholidayclassic.net", "shanhaiyizhi.com", "triptoasiam.com", "s3industrail.com", "evertribute.com", "marketing-toolbox.com"]}
Multi AV Scanner detection for submitted file
Source: Notificaci#U00f3n de pago.exe Virustotal: Detection: 21% Perma Link
Source: Notificaci#U00f3n de pago.exe ReversingLabs: Detection: 41%
Yara detected FormBook
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: Notificaci#U00f3n de pago.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: Notificaci#U00f3n de pago.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Notificaci#U00f3n de pago.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: WWAHost.pdb source: Notificaci#U00f3n de pago.exe, 00000008.00000002.386556688.0000000003820000.00000040.10000000.00040000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381620800.0000000003900000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381239954.0000000003825000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: FormatExcept.pdb8A source: Notificaci#U00f3n de pago.exe
Source: Binary string: WWAHost.pdbUGP source: Notificaci#U00f3n de pago.exe, 00000008.00000002.386556688.0000000003820000.00000040.10000000.00040000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381620800.0000000003900000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381239954.0000000003825000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Notificaci#U00f3n de pago.exe, 00000008.00000002.384074601.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000002.385236446.0000000001B6F000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.308300902.00000000018B3000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.306800992.000000000171A000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.383100819.00000000035F7000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.385157630.0000000003790000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.539485968.0000000003A4F000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.537728974.0000000003930000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Notificaci#U00f3n de pago.exe, 00000008.00000002.384074601.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000002.385236446.0000000001B6F000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.308300902.00000000018B3000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.306800992.000000000171A000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 0000000E.00000003.383100819.00000000035F7000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.385157630.0000000003790000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.539485968.0000000003A4F000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.537728974.0000000003930000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: FormatExcept.pdb source: Notificaci#U00f3n de pago.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 4x nop then pop edi 8_2_004172F6
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 4x nop then pop edi 8_2_00417FEB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 4x nop then pop edi 14_2_00A772F6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 4x nop then pop edi 14_2_00A77FEB

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 104.195.7.239 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.theguiriguide.com
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.librevillegabon.com
Source: C:\Windows\explorer.exe Domain query: www.team-ctctitleco.com
Source: C:\Windows\explorer.exe Domain query: www.evertribute.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.hkqhdq.com/d6fp/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AUTOMATTICUS AUTOMATTICUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /d6fp/?7nxh=0IAMhpyfM6TyxYvNuQBLxFd+VBe1OVp7bFg/8SsVn3OL4Z0v7SAtnQzd8ZWN+7APMfoM&q6AlF=0txdQnwxgb HTTP/1.1Host: www.evertribute.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d6fp/?7nxh=Vjw903Y9bM1AKbFW1pqe+tE50cefuwUzuT8QLR39Zk9vkX5o4NYForbp6qTr1jJAF4yG&q6AlF=0txdQnwxgb HTTP/1.1Host: www.theguiriguide.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d6fp/?7nxh=27dTALvGagYo6W4eiFO6YvZJ//Zn5pBdCa2l5DH7HNM2RGs4GWZbOB9vu5aCQaLmGkAl&q6AlF=0txdQnwxgb HTTP/1.1Host: www.librevillegabon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.0.78.25 192.0.78.25
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.263896171.0000000005F96000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.w
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com.TTF
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html0
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comB.TTF?m
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.312759063.0000000005F90000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.307819527.0000000005F90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comcom
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comlvfetDm
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.283274028.0000000005F9A000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.312759063.0000000005F90000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.307819527.0000000005F90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como)m
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.275317837.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.275623975.0000000005F98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comsief
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266184528.0000000005F97000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266049177.0000000005F98000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265980144.0000000005F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.266184528.0000000005F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnG
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.266184528.0000000005F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cne-dio
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.265980144.0000000005F97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnnt
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.277842098.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/2
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.277842098.0000000005FC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/n
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/)m
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/6m
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Dm
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Mm
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0?m
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Zm
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/cm6
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/hm?
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/qm(
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.268786544.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268937816.0000000005F9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/~mQ
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263447229.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267071973.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comG
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267071973.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.come
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267071973.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comt
Source: Notificaci#U00f3n de pago.exe, 00000000.00000003.267557028.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265054289.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267273158.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264590356.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264694065.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268115380.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267166340.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264094876.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266446750.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.266607005.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265196390.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265228038.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264926337.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.265917644.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264428081.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263906770.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264561984.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.268009733.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.264304896.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.263447229.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000003.267765595.0000000005FAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comt-bh
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.313327402.0000000007222000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: www.evertribute.com
Source: global traffic HTTP traffic detected: GET /d6fp/?7nxh=0IAMhpyfM6TyxYvNuQBLxFd+VBe1OVp7bFg/8SsVn3OL4Z0v7SAtnQzd8ZWN+7APMfoM&q6AlF=0txdQnwxgb HTTP/1.1Host: www.evertribute.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d6fp/?7nxh=Vjw903Y9bM1AKbFW1pqe+tE50cefuwUzuT8QLR39Zk9vkX5o4NYForbp6qTr1jJAF4yG&q6AlF=0txdQnwxgb HTTP/1.1Host: www.theguiriguide.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d6fp/?7nxh=27dTALvGagYo6W4eiFO6YvZJ//Zn5pBdCa2l5DH7HNM2RGs4GWZbOB9vu5aCQaLmGkAl&q6AlF=0txdQnwxgb HTTP/1.1Host: www.librevillegabon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: Notificaci#U00f3n de pago.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 0_2_02F1C754 0_2_02F1C754
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 0_2_02F1EB98 0_2_02F1EB98
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 0_2_02F1EB88 0_2_02F1EB88
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 0_2_076A2113 0_2_076A2113
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 0_2_076A4F58 0_2_076A4F58
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 0_2_076A5CA8 0_2_076A5CA8
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 0_2_076A9AE0 0_2_076A9AE0
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_00401030 8_2_00401030
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041E1AE 8_2_0041E1AE
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0040926C 8_2_0040926C
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_00409270 8_2_00409270
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041DBB2 8_2_0041DBB2
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0040DC10 8_2_0040DC10
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_00402D88 8_2_00402D88
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_00402D90 8_2_00402D90
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041DEF4 8_2_0041DEF4
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_00402FB0 8_2_00402FB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398EBB0 14_2_0398EBB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1DBD2 14_2_03A1DBD2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A22B28 14_2_03A22B28
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A222AE 14_2_03A222AE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395F900 14_2_0395F900
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03974120 14_2_03974120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396B090 14_2_0396B090
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A220A8 14_2_03A220A8
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039820A0 14_2_039820A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A228EC 14_2_03A228EC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A2E824 14_2_03A2E824
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11002 14_2_03A11002
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A21FF1 14_2_03A21FF1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A22EF7 14_2_03A22EF7
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03976E30 14_2_03976E30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1D616 14_2_03A1D616
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03982581 14_2_03982581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396D5E0 14_2_0396D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A225DD 14_2_03A225DD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A22D07 14_2_03A22D07
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03950D20 14_2_03950D20
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A21D55 14_2_03A21D55
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396841F 14_2_0396841F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1D466 14_2_03A1D466
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A6926C 14_2_00A6926C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A69270 14_2_00A69270
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7DBB2 14_2_00A7DBB2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A6DC10 14_2_00A6DC10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A62D88 14_2_00A62D88
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A62D90 14_2_00A62D90
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7DEF3 14_2_00A7DEF3
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A62FB0 14_2_00A62FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 0395B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A310 NtCreateFile, 8_2_0041A310
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A3C0 NtReadFile, 8_2_0041A3C0
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A440 NtClose, 8_2_0041A440
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A4F0 NtAllocateVirtualMemory, 8_2_0041A4F0
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A362 NtCreateFile, 8_2_0041A362
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A30A NtCreateFile, 8_2_0041A30A
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A3BA NtReadFile, 8_2_0041A3BA
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A43B NtClose, 8_2_0041A43B
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A4EA NtAllocateVirtualMemory, 8_2_0041A4EA
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A4F4 NtAllocateVirtualMemory, 8_2_0041A4F4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999A50 NtCreateFile,LdrInitializeThunk, 14_2_03999A50
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039999A0 NtCreateSection,LdrInitializeThunk, 14_2_039999A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_03999910
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999840 NtDelayExecution,LdrInitializeThunk, 14_2_03999840
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_03999860
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999780 NtMapViewOfSection,LdrInitializeThunk, 14_2_03999780
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999FE0 NtCreateMutant,LdrInitializeThunk, 14_2_03999FE0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999710 NtQueryInformationToken,LdrInitializeThunk, 14_2_03999710
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039996D0 NtCreateKey,LdrInitializeThunk, 14_2_039996D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039996E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_039996E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999650 NtQueryValueKey,LdrInitializeThunk, 14_2_03999650
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_03999660
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039995D0 NtClose,LdrInitializeThunk, 14_2_039995D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999540 NtReadFile,LdrInitializeThunk, 14_2_03999540
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0399A3B0 NtGetContextThread, 14_2_0399A3B0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999B00 NtSetValueKey, 14_2_03999B00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999A80 NtOpenDirectoryObject, 14_2_03999A80
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999A10 NtQuerySection, 14_2_03999A10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999A00 NtProtectVirtualMemory, 14_2_03999A00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999A20 NtResumeThread, 14_2_03999A20
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039999D0 NtCreateProcessEx, 14_2_039999D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999950 NtQueueApcThread, 14_2_03999950
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039998A0 NtWriteVirtualMemory, 14_2_039998A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039998F0 NtReadVirtualMemory, 14_2_039998F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999820 NtEnumerateKey, 14_2_03999820
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0399B040 NtSuspendThread, 14_2_0399B040
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039997A0 NtUnmapViewOfSection, 14_2_039997A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0399A710 NtOpenProcessToken, 14_2_0399A710
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999730 NtQueryVirtualMemory, 14_2_03999730
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0399A770 NtOpenThread, 14_2_0399A770
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999770 NtSetInformationFile, 14_2_03999770
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999760 NtOpenProcess, 14_2_03999760
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999610 NtEnumerateValueKey, 14_2_03999610
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999670 NtQueryInformationProcess, 14_2_03999670
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039995F0 NtQueryInformationFile, 14_2_039995F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0399AD30 NtSetContextThread, 14_2_0399AD30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999520 NtWaitForSingleObject, 14_2_03999520
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03999560 NtWriteFile, 14_2_03999560
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A3C0 NtReadFile, 14_2_00A7A3C0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A310 NtCreateFile, 14_2_00A7A310
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A4F0 NtAllocateVirtualMemory, 14_2_00A7A4F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A440 NtClose, 14_2_00A7A440
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A3BA NtReadFile, 14_2_00A7A3BA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A30A NtCreateFile, 14_2_00A7A30A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A362 NtCreateFile, 14_2_00A7A362
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A4EA NtAllocateVirtualMemory, 14_2_00A7A4EA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A4F4 NtAllocateVirtualMemory, 14_2_00A7A4F4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A43B NtClose, 14_2_00A7A43B
Sample file is different than original file name gathered from version info
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.314207449.0000000007930000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.308434377.0000000000C16000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFormatExcept.exeF vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe, 00000008.00000000.303233250.0000000000E96000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFormatExcept.exeF vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe, 00000008.00000002.385236446.0000000001B6F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe, 00000008.00000003.381717233.00000000039B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWWAHost.exej% vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe, 00000008.00000002.385915801.0000000001CFF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe, 00000008.00000002.386824949.00000000038D6000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameWWAHost.exej% vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe, 00000008.00000003.306954207.0000000001830000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe, 00000008.00000003.308930393.00000000019D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe, 00000008.00000003.381239954.0000000003825000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWWAHost.exej% vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe Binary or memory string: OriginalFilenameFormatExcept.exeF vs Notificaci#U00f3n de pago.exe
Source: Notificaci#U00f3n de pago.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Notificaci#U00f3n de pago.exe Virustotal: Detection: 21%
Source: Notificaci#U00f3n de pago.exe ReversingLabs: Detection: 41%
Source: Notificaci#U00f3n de pago.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process created: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process created: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe" Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Notificaci#U00f3n de pago.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@6/3
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Notificaci#U00f3n de pago.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Notificaci#U00f3n de pago.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Notificaci#U00f3n de pago.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: WWAHost.pdb source: Notificaci#U00f3n de pago.exe, 00000008.00000002.386556688.0000000003820000.00000040.10000000.00040000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381620800.0000000003900000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381239954.0000000003825000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: FormatExcept.pdb8A source: Notificaci#U00f3n de pago.exe
Source: Binary string: WWAHost.pdbUGP source: Notificaci#U00f3n de pago.exe, 00000008.00000002.386556688.0000000003820000.00000040.10000000.00040000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381620800.0000000003900000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.381239954.0000000003825000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Notificaci#U00f3n de pago.exe, 00000008.00000002.384074601.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000002.385236446.0000000001B6F000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.308300902.00000000018B3000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.306800992.000000000171A000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.383100819.00000000035F7000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.385157630.0000000003790000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.539485968.0000000003A4F000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.537728974.0000000003930000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Notificaci#U00f3n de pago.exe, 00000008.00000002.384074601.0000000001A50000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000002.385236446.0000000001B6F000.00000040.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.308300902.00000000018B3000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000008.00000003.306800992.000000000171A000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 0000000E.00000003.383100819.00000000035F7000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000003.385157630.0000000003790000.00000004.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.539485968.0000000003A4F000.00000040.00000800.00020000.00000000.sdmp, WWAHost.exe, 0000000E.00000002.537728974.0000000003930000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: FormatExcept.pdb source: Notificaci#U00f3n de pago.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Notificaci#U00f3n de pago.exe, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.7.unpack, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.9.unpack, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.3.unpack, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.5.unpack, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.0.unpack, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.2.unpack, Rw/FJ.cs .Net Code: Qyc System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: Notificaci#U00f3n de pago.exe, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Source: 0.2.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Source: 0.0.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.7.unpack, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.9.unpack, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Source: 8.2.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.3.unpack, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.5.unpack, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.0.unpack, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.2.unpack, Rw/FJ.cs .Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "456E756D43617465676F7279496E7374616E636573466C", "7763786A4E67544675", "PagedOptionsDialog" } }, null, null)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 0_2_00B98EDF push ss; retf 0_2_00B98EF6
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041A082 push 01F04D8Ch; iretd 8_2_0041A08B
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_00416D1E push ds; retf 8_2_00416D1F
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_00416DE0 push es; iretd 8_2_00416DE1
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041D662 push eax; ret 8_2_0041D668
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041D66B push eax; ret 8_2_0041D6D2
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041D615 push eax; ret 8_2_0041D668
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041D6CC push eax; ret 8_2_0041D6D2
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0041E773 push ecx; ret 8_2_0041E774
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_00E18EDF push ss; retf 8_2_00E18EF6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039AD0D1 push ecx; ret 14_2_039AD0E4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7A082 push 01F04D8Ch; iretd 14_2_00A7A08B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A76DE0 push es; iretd 14_2_00A76DE1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A76D1E push ds; retf 14_2_00A76D1F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7D6CC push eax; ret 14_2_00A7D6D2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7D615 push eax; ret 14_2_00A7D668
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7D662 push eax; ret 14_2_00A7D668
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7D66B push eax; ret 14_2_00A7D6D2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_00A7E773 push ecx; ret 14_2_00A7E774
Source: initial sample Static PE information: section name: .text entropy: 7.92135270708
Source: Notificaci#U00f3n de pago.exe, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
Source: 0.2.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
Source: 0.0.Notificaci#U00f3n de pago.exe.b90000.0.unpack, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.7.unpack, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.9.unpack, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
Source: 8.2.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.3.unpack, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.1.unpack, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.5.unpack, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.0.unpack, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'
Source: 8.0.Notificaci#U00f3n de pago.exe.e10000.2.unpack, Rw/Yt.cs High entropy of concatenated method names: 'az', 'Jys', 'pyd', 'hyI', '.ctor', 'pR', 'xT', 'sq', 'd3', 'G9'

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe"
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe" Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.310331717.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Notificaci#U00f3n de pago.exe PID: 6360, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310331717.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310331717.0000000002FB8000.00000004.00000800.00020000.00000000.sdmp, Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe RDTSC instruction interceptor: First address: 0000000000408C04 second address: 0000000000408C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe RDTSC instruction interceptor: First address: 0000000000408F8E second address: 0000000000408F94 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 0000000000A68C04 second address: 0000000000A68C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 0000000000A68F8E second address: 0000000000A68F94 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe TID: 6364 Thread sleep time: -45733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe TID: 6448 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_00408EC0 rdtsc 8_2_00408EC0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\WWAHost.exe API coverage: 9.4 %
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Thread delayed: delay time: 45733 Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000B.00000000.323171776.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000B.00000000.367419056.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000B.00000000.429366333.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 0000000B.00000000.340384303.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000000.367419056.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000B.00000000.435360812.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.367419056.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 0000000B.00000000.360151542.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 0000000B.00000000.367419056.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 0000000B.00000000.323914419.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000B.00000000.323171776.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000B.00000000.367419056.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Source: Notificaci#U00f3n de pago.exe, 00000000.00000002.310059804.0000000002F31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_00408EC0 rdtsc 8_2_00408EC0
Enables debug privileges
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A25BA5 mov eax, dword ptr fs:[00000030h] 14_2_03A25BA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398B390 mov eax, dword ptr fs:[00000030h] 14_2_0398B390
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03982397 mov eax, dword ptr fs:[00000030h] 14_2_03982397
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03961B8F mov eax, dword ptr fs:[00000030h] 14_2_03961B8F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03961B8F mov eax, dword ptr fs:[00000030h] 14_2_03961B8F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A0D380 mov ecx, dword ptr fs:[00000030h] 14_2_03A0D380
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1138A mov eax, dword ptr fs:[00000030h] 14_2_03A1138A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03984BAD mov eax, dword ptr fs:[00000030h] 14_2_03984BAD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03984BAD mov eax, dword ptr fs:[00000030h] 14_2_03984BAD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03984BAD mov eax, dword ptr fs:[00000030h] 14_2_03984BAD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D53CA mov eax, dword ptr fs:[00000030h] 14_2_039D53CA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D53CA mov eax, dword ptr fs:[00000030h] 14_2_039D53CA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h] 14_2_039803E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h] 14_2_039803E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h] 14_2_039803E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h] 14_2_039803E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h] 14_2_039803E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039803E2 mov eax, dword ptr fs:[00000030h] 14_2_039803E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397DBE9 mov eax, dword ptr fs:[00000030h] 14_2_0397DBE9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1131B mov eax, dword ptr fs:[00000030h] 14_2_03A1131B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395F358 mov eax, dword ptr fs:[00000030h] 14_2_0395F358
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395DB40 mov eax, dword ptr fs:[00000030h] 14_2_0395DB40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03983B7A mov eax, dword ptr fs:[00000030h] 14_2_03983B7A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03983B7A mov eax, dword ptr fs:[00000030h] 14_2_03983B7A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395DB60 mov ecx, dword ptr fs:[00000030h] 14_2_0395DB60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A28B58 mov eax, dword ptr fs:[00000030h] 14_2_03A28B58
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398D294 mov eax, dword ptr fs:[00000030h] 14_2_0398D294
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398D294 mov eax, dword ptr fs:[00000030h] 14_2_0398D294
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0396AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396AAB0 mov eax, dword ptr fs:[00000030h] 14_2_0396AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398FAB0 mov eax, dword ptr fs:[00000030h] 14_2_0398FAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039552A5 mov eax, dword ptr fs:[00000030h] 14_2_039552A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039552A5 mov eax, dword ptr fs:[00000030h] 14_2_039552A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039552A5 mov eax, dword ptr fs:[00000030h] 14_2_039552A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039552A5 mov eax, dword ptr fs:[00000030h] 14_2_039552A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039552A5 mov eax, dword ptr fs:[00000030h] 14_2_039552A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03982ACB mov eax, dword ptr fs:[00000030h] 14_2_03982ACB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03982AE4 mov eax, dword ptr fs:[00000030h] 14_2_03982AE4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395AA16 mov eax, dword ptr fs:[00000030h] 14_2_0395AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395AA16 mov eax, dword ptr fs:[00000030h] 14_2_0395AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03955210 mov eax, dword ptr fs:[00000030h] 14_2_03955210
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03955210 mov ecx, dword ptr fs:[00000030h] 14_2_03955210
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03955210 mov eax, dword ptr fs:[00000030h] 14_2_03955210
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03955210 mov eax, dword ptr fs:[00000030h] 14_2_03955210
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03973A1C mov eax, dword ptr fs:[00000030h] 14_2_03973A1C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03968A0A mov eax, dword ptr fs:[00000030h] 14_2_03968A0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03994A2C mov eax, dword ptr fs:[00000030h] 14_2_03994A2C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03994A2C mov eax, dword ptr fs:[00000030h] 14_2_03994A2C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1AA16 mov eax, dword ptr fs:[00000030h] 14_2_03A1AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1AA16 mov eax, dword ptr fs:[00000030h] 14_2_03A1AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A0B260 mov eax, dword ptr fs:[00000030h] 14_2_03A0B260
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A0B260 mov eax, dword ptr fs:[00000030h] 14_2_03A0B260
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A28A62 mov eax, dword ptr fs:[00000030h] 14_2_03A28A62
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039E4257 mov eax, dword ptr fs:[00000030h] 14_2_039E4257
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03959240 mov eax, dword ptr fs:[00000030h] 14_2_03959240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03959240 mov eax, dword ptr fs:[00000030h] 14_2_03959240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03959240 mov eax, dword ptr fs:[00000030h] 14_2_03959240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03959240 mov eax, dword ptr fs:[00000030h] 14_2_03959240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0399927A mov eax, dword ptr fs:[00000030h] 14_2_0399927A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1EA55 mov eax, dword ptr fs:[00000030h] 14_2_03A1EA55
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03982990 mov eax, dword ptr fs:[00000030h] 14_2_03982990
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397C182 mov eax, dword ptr fs:[00000030h] 14_2_0397C182
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398A185 mov eax, dword ptr fs:[00000030h] 14_2_0398A185
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D51BE mov eax, dword ptr fs:[00000030h] 14_2_039D51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D51BE mov eax, dword ptr fs:[00000030h] 14_2_039D51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D51BE mov eax, dword ptr fs:[00000030h] 14_2_039D51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D51BE mov eax, dword ptr fs:[00000030h] 14_2_039D51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039861A0 mov eax, dword ptr fs:[00000030h] 14_2_039861A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039861A0 mov eax, dword ptr fs:[00000030h] 14_2_039861A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D69A6 mov eax, dword ptr fs:[00000030h] 14_2_039D69A6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0395B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0395B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395B1E1 mov eax, dword ptr fs:[00000030h] 14_2_0395B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039E41E8 mov eax, dword ptr fs:[00000030h] 14_2_039E41E8
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03959100 mov eax, dword ptr fs:[00000030h] 14_2_03959100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03959100 mov eax, dword ptr fs:[00000030h] 14_2_03959100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03959100 mov eax, dword ptr fs:[00000030h] 14_2_03959100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398513A mov eax, dword ptr fs:[00000030h] 14_2_0398513A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398513A mov eax, dword ptr fs:[00000030h] 14_2_0398513A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03974120 mov eax, dword ptr fs:[00000030h] 14_2_03974120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03974120 mov eax, dword ptr fs:[00000030h] 14_2_03974120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03974120 mov eax, dword ptr fs:[00000030h] 14_2_03974120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03974120 mov eax, dword ptr fs:[00000030h] 14_2_03974120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03974120 mov ecx, dword ptr fs:[00000030h] 14_2_03974120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397B944 mov eax, dword ptr fs:[00000030h] 14_2_0397B944
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397B944 mov eax, dword ptr fs:[00000030h] 14_2_0397B944
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395B171 mov eax, dword ptr fs:[00000030h] 14_2_0395B171
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395B171 mov eax, dword ptr fs:[00000030h] 14_2_0395B171
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395C962 mov eax, dword ptr fs:[00000030h] 14_2_0395C962
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03959080 mov eax, dword ptr fs:[00000030h] 14_2_03959080
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D3884 mov eax, dword ptr fs:[00000030h] 14_2_039D3884
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D3884 mov eax, dword ptr fs:[00000030h] 14_2_039D3884
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398F0BF mov ecx, dword ptr fs:[00000030h] 14_2_0398F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398F0BF mov eax, dword ptr fs:[00000030h] 14_2_0398F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398F0BF mov eax, dword ptr fs:[00000030h] 14_2_0398F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039990AF mov eax, dword ptr fs:[00000030h] 14_2_039990AF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h] 14_2_039820A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h] 14_2_039820A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h] 14_2_039820A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h] 14_2_039820A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h] 14_2_039820A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039820A0 mov eax, dword ptr fs:[00000030h] 14_2_039820A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EB8D0 mov eax, dword ptr fs:[00000030h] 14_2_039EB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EB8D0 mov ecx, dword ptr fs:[00000030h] 14_2_039EB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EB8D0 mov eax, dword ptr fs:[00000030h] 14_2_039EB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EB8D0 mov eax, dword ptr fs:[00000030h] 14_2_039EB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EB8D0 mov eax, dword ptr fs:[00000030h] 14_2_039EB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EB8D0 mov eax, dword ptr fs:[00000030h] 14_2_039EB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039558EC mov eax, dword ptr fs:[00000030h] 14_2_039558EC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D7016 mov eax, dword ptr fs:[00000030h] 14_2_039D7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D7016 mov eax, dword ptr fs:[00000030h] 14_2_039D7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D7016 mov eax, dword ptr fs:[00000030h] 14_2_039D7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398002D mov eax, dword ptr fs:[00000030h] 14_2_0398002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398002D mov eax, dword ptr fs:[00000030h] 14_2_0398002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398002D mov eax, dword ptr fs:[00000030h] 14_2_0398002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398002D mov eax, dword ptr fs:[00000030h] 14_2_0398002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398002D mov eax, dword ptr fs:[00000030h] 14_2_0398002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A24015 mov eax, dword ptr fs:[00000030h] 14_2_03A24015
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A24015 mov eax, dword ptr fs:[00000030h] 14_2_03A24015
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396B02A mov eax, dword ptr fs:[00000030h] 14_2_0396B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396B02A mov eax, dword ptr fs:[00000030h] 14_2_0396B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396B02A mov eax, dword ptr fs:[00000030h] 14_2_0396B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396B02A mov eax, dword ptr fs:[00000030h] 14_2_0396B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03970050 mov eax, dword ptr fs:[00000030h] 14_2_03970050
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03970050 mov eax, dword ptr fs:[00000030h] 14_2_03970050
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A12073 mov eax, dword ptr fs:[00000030h] 14_2_03A12073
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A21074 mov eax, dword ptr fs:[00000030h] 14_2_03A21074
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03968794 mov eax, dword ptr fs:[00000030h] 14_2_03968794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D7794 mov eax, dword ptr fs:[00000030h] 14_2_039D7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D7794 mov eax, dword ptr fs:[00000030h] 14_2_039D7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D7794 mov eax, dword ptr fs:[00000030h] 14_2_039D7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039937F5 mov eax, dword ptr fs:[00000030h] 14_2_039937F5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397F716 mov eax, dword ptr fs:[00000030h] 14_2_0397F716
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EFF10 mov eax, dword ptr fs:[00000030h] 14_2_039EFF10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EFF10 mov eax, dword ptr fs:[00000030h] 14_2_039EFF10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398A70E mov eax, dword ptr fs:[00000030h] 14_2_0398A70E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398A70E mov eax, dword ptr fs:[00000030h] 14_2_0398A70E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398E730 mov eax, dword ptr fs:[00000030h] 14_2_0398E730
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A2070D mov eax, dword ptr fs:[00000030h] 14_2_03A2070D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A2070D mov eax, dword ptr fs:[00000030h] 14_2_03A2070D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03954F2E mov eax, dword ptr fs:[00000030h] 14_2_03954F2E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03954F2E mov eax, dword ptr fs:[00000030h] 14_2_03954F2E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A28F6A mov eax, dword ptr fs:[00000030h] 14_2_03A28F6A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396EF40 mov eax, dword ptr fs:[00000030h] 14_2_0396EF40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396FF60 mov eax, dword ptr fs:[00000030h] 14_2_0396FF60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A20EA5 mov eax, dword ptr fs:[00000030h] 14_2_03A20EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A20EA5 mov eax, dword ptr fs:[00000030h] 14_2_03A20EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A20EA5 mov eax, dword ptr fs:[00000030h] 14_2_03A20EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EFE87 mov eax, dword ptr fs:[00000030h] 14_2_039EFE87
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D46A7 mov eax, dword ptr fs:[00000030h] 14_2_039D46A7
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039836CC mov eax, dword ptr fs:[00000030h] 14_2_039836CC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03998EC7 mov eax, dword ptr fs:[00000030h] 14_2_03998EC7
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A0FEC0 mov eax, dword ptr fs:[00000030h] 14_2_03A0FEC0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A28ED6 mov eax, dword ptr fs:[00000030h] 14_2_03A28ED6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039676E2 mov eax, dword ptr fs:[00000030h] 14_2_039676E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039816E0 mov ecx, dword ptr fs:[00000030h] 14_2_039816E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398A61C mov eax, dword ptr fs:[00000030h] 14_2_0398A61C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398A61C mov eax, dword ptr fs:[00000030h] 14_2_0398A61C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395C600 mov eax, dword ptr fs:[00000030h] 14_2_0395C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395C600 mov eax, dword ptr fs:[00000030h] 14_2_0395C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395C600 mov eax, dword ptr fs:[00000030h] 14_2_0395C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03988E00 mov eax, dword ptr fs:[00000030h] 14_2_03988E00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A0FE3F mov eax, dword ptr fs:[00000030h] 14_2_03A0FE3F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11608 mov eax, dword ptr fs:[00000030h] 14_2_03A11608
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395E620 mov eax, dword ptr fs:[00000030h] 14_2_0395E620
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h] 14_2_03967E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h] 14_2_03967E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h] 14_2_03967E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h] 14_2_03967E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h] 14_2_03967E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03967E41 mov eax, dword ptr fs:[00000030h] 14_2_03967E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397AE73 mov eax, dword ptr fs:[00000030h] 14_2_0397AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397AE73 mov eax, dword ptr fs:[00000030h] 14_2_0397AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397AE73 mov eax, dword ptr fs:[00000030h] 14_2_0397AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397AE73 mov eax, dword ptr fs:[00000030h] 14_2_0397AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397AE73 mov eax, dword ptr fs:[00000030h] 14_2_0397AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1AE44 mov eax, dword ptr fs:[00000030h] 14_2_03A1AE44
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1AE44 mov eax, dword ptr fs:[00000030h] 14_2_03A1AE44
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396766D mov eax, dword ptr fs:[00000030h] 14_2_0396766D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398FD9B mov eax, dword ptr fs:[00000030h] 14_2_0398FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398FD9B mov eax, dword ptr fs:[00000030h] 14_2_0398FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A205AC mov eax, dword ptr fs:[00000030h] 14_2_03A205AC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A205AC mov eax, dword ptr fs:[00000030h] 14_2_03A205AC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03982581 mov eax, dword ptr fs:[00000030h] 14_2_03982581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03982581 mov eax, dword ptr fs:[00000030h] 14_2_03982581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03982581 mov eax, dword ptr fs:[00000030h] 14_2_03982581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03982581 mov eax, dword ptr fs:[00000030h] 14_2_03982581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03952D8A mov eax, dword ptr fs:[00000030h] 14_2_03952D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03952D8A mov eax, dword ptr fs:[00000030h] 14_2_03952D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03952D8A mov eax, dword ptr fs:[00000030h] 14_2_03952D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03952D8A mov eax, dword ptr fs:[00000030h] 14_2_03952D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03952D8A mov eax, dword ptr fs:[00000030h] 14_2_03952D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03981DB5 mov eax, dword ptr fs:[00000030h] 14_2_03981DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03981DB5 mov eax, dword ptr fs:[00000030h] 14_2_03981DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03981DB5 mov eax, dword ptr fs:[00000030h] 14_2_03981DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039835A1 mov eax, dword ptr fs:[00000030h] 14_2_039835A1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1FDE2 mov eax, dword ptr fs:[00000030h] 14_2_03A1FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1FDE2 mov eax, dword ptr fs:[00000030h] 14_2_03A1FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1FDE2 mov eax, dword ptr fs:[00000030h] 14_2_03A1FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1FDE2 mov eax, dword ptr fs:[00000030h] 14_2_03A1FDE2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A08DF1 mov eax, dword ptr fs:[00000030h] 14_2_03A08DF1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6DC9 mov eax, dword ptr fs:[00000030h] 14_2_039D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6DC9 mov eax, dword ptr fs:[00000030h] 14_2_039D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6DC9 mov eax, dword ptr fs:[00000030h] 14_2_039D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6DC9 mov ecx, dword ptr fs:[00000030h] 14_2_039D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6DC9 mov eax, dword ptr fs:[00000030h] 14_2_039D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6DC9 mov eax, dword ptr fs:[00000030h] 14_2_039D6DC9
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0396D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396D5E0 mov eax, dword ptr fs:[00000030h] 14_2_0396D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A28D34 mov eax, dword ptr fs:[00000030h] 14_2_03A28D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A1E539 mov eax, dword ptr fs:[00000030h] 14_2_03A1E539
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03963D34 mov eax, dword ptr fs:[00000030h] 14_2_03963D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03984D3B mov eax, dword ptr fs:[00000030h] 14_2_03984D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03984D3B mov eax, dword ptr fs:[00000030h] 14_2_03984D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03984D3B mov eax, dword ptr fs:[00000030h] 14_2_03984D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0395AD30 mov eax, dword ptr fs:[00000030h] 14_2_0395AD30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039DA537 mov eax, dword ptr fs:[00000030h] 14_2_039DA537
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03977D50 mov eax, dword ptr fs:[00000030h] 14_2_03977D50
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03993D43 mov eax, dword ptr fs:[00000030h] 14_2_03993D43
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D3540 mov eax, dword ptr fs:[00000030h] 14_2_039D3540
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397C577 mov eax, dword ptr fs:[00000030h] 14_2_0397C577
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397C577 mov eax, dword ptr fs:[00000030h] 14_2_0397C577
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0396849B mov eax, dword ptr fs:[00000030h] 14_2_0396849B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A114FB mov eax, dword ptr fs:[00000030h] 14_2_03A114FB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6CF0 mov eax, dword ptr fs:[00000030h] 14_2_039D6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6CF0 mov eax, dword ptr fs:[00000030h] 14_2_039D6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6CF0 mov eax, dword ptr fs:[00000030h] 14_2_039D6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A28CD6 mov eax, dword ptr fs:[00000030h] 14_2_03A28CD6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6C0A mov eax, dword ptr fs:[00000030h] 14_2_039D6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6C0A mov eax, dword ptr fs:[00000030h] 14_2_039D6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6C0A mov eax, dword ptr fs:[00000030h] 14_2_039D6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039D6C0A mov eax, dword ptr fs:[00000030h] 14_2_039D6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A11C06 mov eax, dword ptr fs:[00000030h] 14_2_03A11C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A2740D mov eax, dword ptr fs:[00000030h] 14_2_03A2740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A2740D mov eax, dword ptr fs:[00000030h] 14_2_03A2740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_03A2740D mov eax, dword ptr fs:[00000030h] 14_2_03A2740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398BC2C mov eax, dword ptr fs:[00000030h] 14_2_0398BC2C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EC450 mov eax, dword ptr fs:[00000030h] 14_2_039EC450
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_039EC450 mov eax, dword ptr fs:[00000030h] 14_2_039EC450
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0398A44B mov eax, dword ptr fs:[00000030h] 14_2_0398A44B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 14_2_0397746D mov eax, dword ptr fs:[00000030h] 14_2_0397746D
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Code function: 8_2_0040A130 LdrLoadDll, 8_2_0040A130
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 104.195.7.239 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.theguiriguide.com
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.librevillegabon.com
Source: C:\Windows\explorer.exe Domain query: www.team-ctctitleco.com
Source: C:\Windows\explorer.exe Domain query: www.evertribute.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 1120000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Memory written: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Process created: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe" Jump to behavior
Source: explorer.exe, 0000000B.00000000.429405183.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.340340863.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.312051884.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 0000000B.00000000.349900984.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.434835236.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.430191145.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.430191145.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.357720724.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.341085713.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.430191145.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.357720724.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.341085713.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.312120732.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.357378647.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.429478272.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 0000000B.00000000.430191145.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.357720724.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.341085713.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Notificaci#U00f3n de pago.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Notificaci#U00f3n de pago.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Notificaci#U00f3n de pago.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Notificaci#U00f3n de pago.exe.4141a78.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Notificaci#U00f3n de pago.exe.3ffb388.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.383069133.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.383525954.0000000001410000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.383574580.0000000001440000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.306288871.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.537261435.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.305178001.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.366275281.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.310859380.0000000003FFB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.349080967.0000000007136000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.524275171.0000000000A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.529657171.0000000000FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626150 Sample: Notificaci#U00f3n de pago.exe Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 31 www.triptoasiam.com 2->31 33 www.massage-rino.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 11 Notificaci#U00f3n de pago.exe 3 2->11         started        signatures3 process4 file5 29 C:\...29otificaci#U00f3n de pago.exe.log, ASCII 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 Notificaci#U00f3n de pago.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.librevillegabon.com 104.195.7.239, 49764, 80 ESITEDUS United States 18->35 37 theguiriguide.com 192.0.78.25, 49761, 80 AUTOMATTICUS United States 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 WWAHost.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.0.78.25
 theguiriguide.com United States
2635 AUTOMATTICUS true
198.54.117.212
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
104.195.7.239
 www.librevillegabon.com United States
22552 ESITEDUS true

Contacted Domains

Name IP Active
www.triptoasiam.com 162.0.216.71 true
www.massage-rino.com 38.40.251.97 true
theguiriguide.com 192.0.78.25 true
parkingpage.namecheap.com 198.54.117.212 true
www.librevillegabon.com 104.195.7.239 true
www.theguiriguide.com unknown unknown
www.team-ctctitleco.com unknown unknown
www.evertribute.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.evertribute.com/d6fp/?7nxh=0IAMhpyfM6TyxYvNuQBLxFd+VBe1OVp7bFg/8SsVn3OL4Z0v7SAtnQzd8ZWN+7APMfoM&q6AlF=0txdQnwxgb true
  • Avira URL Cloud: safe
 unknown
http://www.librevillegabon.com/d6fp/?7nxh=27dTALvGagYo6W4eiFO6YvZJ//Zn5pBdCa2l5DH7HNM2RGs4GWZbOB9vu5aCQaLmGkAl&q6AlF=0txdQnwxgb true
  • Avira URL Cloud: safe
 unknown
http://www.theguiriguide.com/d6fp/?7nxh=Vjw903Y9bM1AKbFW1pqe+tE50cefuwUzuT8QLR39Zk9vkX5o4NYForbp6qTr1jJAF4yG&q6AlF=0txdQnwxgb true
  • Avira URL Cloud: safe
 unknown
www.hkqhdq.com/d6fp/ true
  • Avira URL Cloud: safe
 low