Edit tour

Windows Analysis Report
bpaymentcopy.exe

Overview

General Information

Sample name:	bpaymentcopy.exe
Analysis ID:	1566523
MD5:	5205be9a501dae770c6e557b5fdaeebc
SHA1:	a8a34796e05ac4ff1a0b92bdbbaedc01e8cedfa5
SHA256:	aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
Tags:	exePaymentuser-cocaman
Infos:

Detection

HawkEye, MailPassView, PredatorPainRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected HawkEye Keylogger

Yara detected MailPassView

Yara detected PredatorPainRAT

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Internet Provider seen in connection with other malware

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

bpaymentcopy.exe (PID: 6616 cmdline: "C:\Users\user\Desktop\bpaymentcopy.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)

bpaymentcopy.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\bpaymentcopy.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)

bpaymentcopy.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\bpaymentcopy.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)

Windows Update.exe (PID: 5272 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)

Windows Update.exe (PID: 728 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)

WerFault.exe (PID: 7104 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 2052 MD5: C31336C1EFC2CCB44B4326EA793040F2)

vbc.exe (PID: 6324 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: D881DE17AA8F2E2C08CBB7B265F928F9)

WindowsUpdate.exe (PID: 2888 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)

WindowsUpdate.exe (PID: 4696 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)

WindowsUpdate.exe (PID: 6364 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)

WindowsUpdate.exe (PID: 5392 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)

WindowsUpdate.exe (PID: 1524 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 5205BE9A501DAE770C6E557B5FDAEEBC)

WerFault.exe (PID: 5308 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1300 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
HawkEye Keylogger, HawkEye, HawkEye Reborn	HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new "loader capabilities" have been spotted. It is sold by its development team on dark web markets and hacking forums.	No Attribution	http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/ https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/	https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger

Malware Configuration

Threatname: HawkEye

{"Protocol": "SMTP", "Username": "compensation@britishcrowncourt.net", "Password": "@Hustle007ky1", "Host": "mail.britishcrowncourt.net", "Port": "587"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x5ac92:$string1: holderwb.txt 0x5acae:$string1: holderwb.txt 0x5ae14:$string3: There is a file attached to this email 0x5b41c:$string4: screens\screenshot 0x597ab:$string5: Disablelogger 0x59755:$string6: \pidloc.txt 0x59295:$string7: clearie 0x59853:$string7: clearie 0x592a5:$string8: clearff 0x5986b:$string8: clearff 0x59a8c:$string9: emails should be sent to you shortly 0x59f8c:$string11: open=Sys.exe 0x5976d:$ver1: PredatorLogger 0x59e6f:$ver3: Predator Pain 0x5ac4e:$ver3: Predator Pain 0x5adc3:$ver3: Predator Pain 0x5b00e:$ver3: Predator Pain
0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x5ac92:$string1: holderwb.txt 0x5acae:$string1: holderwb.txt 0x5ae14:$string3: There is a file attached to this email 0x5b41c:$string4: screens\screenshot 0x597ab:$string5: Disablelogger 0x59755:$string6: \pidloc.txt 0x59295:$string7: clearie 0x59853:$string7: clearie 0x592a5:$string8: clearff 0x5986b:$string8: clearff 0x59a8c:$string9: emails should be sent to you shortly 0x59f8c:$string11: open=Sys.exe 0x5976d:$ver1: PredatorLogger 0x59e6f:$ver3: Predator Pain 0x5ac4e:$ver3: Predator Pain 0x5adc3:$ver3: Predator Pain 0x5b00e:$ver3: Predator Pain
00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000006.00000002.2712752940.00000000039B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b6fa:$string1: holderwb.txt 0x7b716:$string1: holderwb.txt 0x7b87c:$string3: There is a file attached to this email 0x7be84:$string4: screens\screenshot 0x7a213:$string5: Disablelogger 0x7a1bd:$string6: \pidloc.txt 0x79cfd:$string7: clearie 0x7a2bb:$string7: clearie 0x79d0d:$string8: clearff 0x7a2d3:$string8: clearff 0x7a4f4:$string9: emails should be sent to you shortly 0x7a9f4:$string11: open=Sys.exe 0x7a1d5:$ver1: PredatorLogger 0x7a8d7:$ver3: Predator Pain 0x7b6b6:$ver3: Predator Pain 0x7b82b:$ver3: Predator Pain 0x7ba76:$ver3: Predator Pain
00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b6fa:$string1: holderwb.txt 0x7b716:$string1: holderwb.txt 0x7b87c:$string3: There is a file attached to this email 0x7be84:$string4: screens\screenshot 0x7a213:$string5: Disablelogger 0x7a1bd:$string6: \pidloc.txt 0x79cfd:$string7: clearie 0x7a2bb:$string7: clearie 0x79d0d:$string8: clearff 0x7a2d3:$string8: clearff 0x7a4f4:$string9: emails should be sent to you shortly 0x7a9f4:$string11: open=Sys.exe 0x7a1d5:$ver1: PredatorLogger 0x7a8d7:$ver3: Predator Pain 0x7b6b6:$ver3: Predator Pain 0x7b82b:$ver3: Predator Pain 0x7ba76:$ver3: Predator Pain
0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x10ae72:$string1: holderwb.txt 0x10ae8e:$string1: holderwb.txt 0x10aff4:$string3: There is a file attached to this email 0x10b5fc:$string4: screens\screenshot 0x10998b:$string5: Disablelogger 0x109935:$string6: \pidloc.txt 0x109475:$string7: clearie 0x109a33:$string7: clearie 0x109485:$string8: clearff 0x109a4b:$string8: clearff 0x109c6c:$string9: emails should be sent to you shortly 0x10a16c:$string11: open=Sys.exe 0x10994d:$ver1: PredatorLogger 0x10a04f:$ver3: Predator Pain 0x10ae2e:$ver3: Predator Pain 0x10afa3:$ver3: Predator Pain 0x10b1ee:$ver3: Predator Pain
0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x10ae72:$string1: holderwb.txt 0x10ae8e:$string1: holderwb.txt 0x10aff4:$string3: There is a file attached to this email 0x10b5fc:$string4: screens\screenshot 0x10998b:$string5: Disablelogger 0x109935:$string6: \pidloc.txt 0x109475:$string7: clearie 0x109a33:$string7: clearie 0x109485:$string8: clearff 0x109a4b:$string8: clearff 0x109c6c:$string9: emails should be sent to you shortly 0x10a16c:$string11: open=Sys.exe 0x10994d:$ver1: PredatorLogger 0x10a04f:$ver3: Predator Pain 0x10ae2e:$ver3: Predator Pain 0x10afa3:$ver3: Predator Pain 0x10b1ee:$ver3: Predator Pain
00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x3e258:$string3: There is a file attached to this email 0xd41bc:$string4: screens\screenshot 0x2f898:$string5: Disablelogger 0x2f81c:$string6: \pidloc.txt 0x28f18:$string7: clearie 0x2f9c0:$string7: clearie 0x28f34:$string8: clearff 0x2f9e4:$string8: clearff 0x3b146:$string9: emails should be sent to you shortly 0xd5b66:$string9: emails should be sent to you shortly 0x2043c8:$string11: open=Sys.exe 0x2f840:$ver1: PredatorLogger 0x3b5fc:$ver3: Predator Pain 0x3e1fc:$ver3: Predator Pain 0xd3d70:$ver3: Predator Pain 0x201770:$ver3: Predator Pain
00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x3e258:$string3: There is a file attached to this email 0xd41bc:$string4: screens\screenshot 0x2f898:$string5: Disablelogger 0x2f81c:$string6: \pidloc.txt 0x28f18:$string7: clearie 0x2f9c0:$string7: clearie 0x28f34:$string8: clearff 0x2f9e4:$string8: clearff 0x3b146:$string9: emails should be sent to you shortly 0xd5b66:$string9: emails should be sent to you shortly 0x2043c8:$string11: open=Sys.exe 0x2f840:$ver1: PredatorLogger 0x3b5fc:$ver3: Predator Pain 0x3e1fc:$ver3: Predator Pain 0xd3d70:$ver3: Predator Pain 0x201770:$ver3: Predator Pain
Process Memory Space: bpaymentcopy.exe PID: 6468	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: bpaymentcopy.exe PID: 6468	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Windows Update.exe PID: 728	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Windows Update.exe PID: 728	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Windows Update.exe PID: 728	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 2888	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 2888	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 2888	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 5392	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 5392	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: WindowsUpdate.exe PID: 5392	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.Windows Update.exe.39b9970.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.3f93d46.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.bpaymentcopy.exe.45e7ae.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.2.Windows Update.exe.39b9970.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
6.2.Windows Update.exe.3a2f7e0.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.bpaymentcopy.exe.408949.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x1ef4c:$string1: holderwb.txt 0x1ef68:$string1: holderwb.txt 0x1f0ce:$string3: There is a file attached to this email 0x1f6d6:$string4: screens\screenshot 0x1da65:$string5: Disablelogger 0x1da0f:$string6: \pidloc.txt 0x1d54f:$string7: clearie 0x1db0d:$string7: clearie 0x1d55f:$string8: clearff 0x1db25:$string8: clearff 0x1dd46:$string9: emails should be sent to you shortly 0x1e246:$string11: open=Sys.exe 0x1da27:$ver1: PredatorLogger 0x1e129:$ver3: Predator Pain 0x1ef08:$ver3: Predator Pain 0x1f07d:$ver3: Predator Pain 0x1f2c8:$ver3: Predator Pain
15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x1ef4c:$string1: holderwb.txt 0x1ef68:$string1: holderwb.txt 0x1f0ce:$string3: There is a file attached to this email 0x1f6d6:$string4: screens\screenshot 0x1da65:$string5: Disablelogger 0x1da0f:$string6: \pidloc.txt 0x1d54f:$string7: clearie 0x1db0d:$string7: clearie 0x1d55f:$string8: clearff 0x1db25:$string8: clearff 0x1dd46:$string9: emails should be sent to you shortly 0x1e246:$string11: open=Sys.exe 0x1da27:$ver1: PredatorLogger 0x1e129:$ver3: Predator Pain 0x1ef08:$ver3: Predator Pain 0x1f07d:$ver3: Predator Pain 0x1f2c8:$ver3: Predator Pain
12.2.WindowsUpdate.exe.426f0c1.4.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x1ef4c:$string1: holderwb.txt 0x1ef68:$string1: holderwb.txt 0x1f0ce:$string3: There is a file attached to this email 0x1f6d6:$string4: screens\screenshot 0x1da65:$string5: Disablelogger 0x1da0f:$string6: \pidloc.txt 0x1d54f:$string7: clearie 0x1db0d:$string7: clearie 0x1d55f:$string8: clearff 0x1db25:$string8: clearff 0x1dd46:$string9: emails should be sent to you shortly 0x1e246:$string11: open=Sys.exe 0x1da27:$ver1: PredatorLogger 0x1e129:$ver3: Predator Pain 0x1ef08:$ver3: Predator Pain 0x1f07d:$ver3: Predator Pain 0x1f2c8:$ver3: Predator Pain
2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x1ef4c:$string1: holderwb.txt 0x1ef68:$string1: holderwb.txt 0x1f0ce:$string3: There is a file attached to this email 0x1f6d6:$string4: screens\screenshot 0x1da65:$string5: Disablelogger 0x1da0f:$string6: \pidloc.txt 0x1d54f:$string7: clearie 0x1db0d:$string7: clearie 0x1d55f:$string8: clearff 0x1db25:$string8: clearff 0x1dd46:$string9: emails should be sent to you shortly 0x1e246:$string11: open=Sys.exe 0x1da27:$ver1: PredatorLogger 0x1e129:$ver3: Predator Pain 0x1ef08:$ver3: Predator Pain 0x1f07d:$ver3: Predator Pain 0x1f2c8:$ver3: Predator Pain
2.2.bpaymentcopy.exe.406f44.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.bpaymentcopy.exe.406f44.0.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.bpaymentcopy.exe.406f44.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.bpaymentcopy.exe.406f44.0.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
2.2.bpaymentcopy.exe.406f44.0.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x767b6:$string1: holderwb.txt 0x767d2:$string1: holderwb.txt 0x76938:$string3: There is a file attached to this email 0x76f40:$string4: screens\screenshot 0x752cf:$string5: Disablelogger 0x75279:$string6: \pidloc.txt 0x74db9:$string7: clearie 0x75377:$string7: clearie 0x74dc9:$string8: clearff 0x7538f:$string8: clearff 0x755b0:$string9: emails should be sent to you shortly 0x75ab0:$string11: open=Sys.exe 0x75291:$ver1: PredatorLogger 0x75993:$ver3: Predator Pain 0x76772:$ver3: Predator Pain 0x768e7:$ver3: Predator Pain 0x76b32:$ver3: Predator Pain
2.2.bpaymentcopy.exe.406f44.0.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x767b6:$string1: holderwb.txt 0x767d2:$string1: holderwb.txt 0x76938:$string3: There is a file attached to this email 0x76f40:$string4: screens\screenshot 0x752cf:$string5: Disablelogger 0x75279:$string6: \pidloc.txt 0x74db9:$string7: clearie 0x75377:$string7: clearie 0x74dc9:$string8: clearff 0x7538f:$string8: clearff 0x755b0:$string9: emails should be sent to you shortly 0x75ab0:$string11: open=Sys.exe 0x75291:$ver1: PredatorLogger 0x75993:$ver3: Predator Pain 0x76772:$ver3: Predator Pain 0x768e7:$ver3: Predator Pain 0x76b32:$ver3: Predator Pain
2.2.bpaymentcopy.exe.400000.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.bpaymentcopy.exe.400000.1.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.bpaymentcopy.exe.400000.1.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.bpaymentcopy.exe.400000.1.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
2.2.bpaymentcopy.exe.400000.1.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8fa:$string1: holderwb.txt 0x7b916:$string1: holderwb.txt 0x7ba7c:$string3: There is a file attached to this email 0x7c084:$string4: screens\screenshot 0x7a413:$string5: Disablelogger 0x7a3bd:$string6: \pidloc.txt 0x79efd:$string7: clearie 0x7a4bb:$string7: clearie 0x79f0d:$string8: clearff 0x7a4d3:$string8: clearff 0x7a6f4:$string9: emails should be sent to you shortly 0x7abf4:$string11: open=Sys.exe 0x7a3d5:$ver1: PredatorLogger 0x7aad7:$ver3: Predator Pain 0x7b8b6:$ver3: Predator Pain 0x7ba2b:$ver3: Predator Pain 0x7bc76:$ver3: Predator Pain
2.2.bpaymentcopy.exe.400000.1.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b8fa:$string1: holderwb.txt 0x7b916:$string1: holderwb.txt 0x7ba7c:$string3: There is a file attached to this email 0x7c084:$string4: screens\screenshot 0x7a413:$string5: Disablelogger 0x7a3bd:$string6: \pidloc.txt 0x79efd:$string7: clearie 0x7a4bb:$string7: clearie 0x79f0d:$string8: clearff 0x7a4d3:$string8: clearff 0x7a6f4:$string9: emails should be sent to you shortly 0x7abf4:$string11: open=Sys.exe 0x7a3d5:$ver1: PredatorLogger 0x7aad7:$ver3: Predator Pain 0x7b8b6:$ver3: Predator Pain 0x7ba2b:$ver3: Predator Pain 0x7bc76:$ver3: Predator Pain
12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x74db1:$string1: holderwb.txt 0x74dcd:$string1: holderwb.txt 0x74f33:$string3: There is a file attached to this email 0x7553b:$string4: screens\screenshot 0x738ca:$string5: Disablelogger 0x73874:$string6: \pidloc.txt 0x733b4:$string7: clearie 0x73972:$string7: clearie 0x733c4:$string8: clearff 0x7398a:$string8: clearff 0x73bab:$string9: emails should be sent to you shortly 0x740ab:$string11: open=Sys.exe 0x7388c:$ver1: PredatorLogger 0x73f8e:$ver3: Predator Pain 0x74d6d:$ver3: Predator Pain 0x74ee2:$ver3: Predator Pain 0x7512d:$ver3: Predator Pain
12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x74db1:$string1: holderwb.txt 0x74dcd:$string1: holderwb.txt 0x74f33:$string3: There is a file attached to this email 0x7553b:$string4: screens\screenshot 0x738ca:$string5: Disablelogger 0x73874:$string6: \pidloc.txt 0x733b4:$string7: clearie 0x73972:$string7: clearie 0x733c4:$string8: clearff 0x7398a:$string8: clearff 0x73bab:$string9: emails should be sent to you shortly 0x740ab:$string11: open=Sys.exe 0x7388c:$ver1: PredatorLogger 0x73f8e:$ver3: Predator Pain 0x74d6d:$ver3: Predator Pain 0x74ee2:$ver3: Predator Pain 0x7512d:$ver3: Predator Pain
12.2.WindowsUpdate.exe.4268578.5.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
12.2.WindowsUpdate.exe.4268578.5.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
12.2.WindowsUpdate.exe.4268578.5.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
12.2.WindowsUpdate.exe.4268578.5.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
12.2.WindowsUpdate.exe.4268578.5.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x79afa:$string1: holderwb.txt 0x79b16:$string1: holderwb.txt 0x79c7c:$string3: There is a file attached to this email 0x7a284:$string4: screens\screenshot 0x78613:$string5: Disablelogger 0x785bd:$string6: \pidloc.txt 0x780fd:$string7: clearie 0x786bb:$string7: clearie 0x7810d:$string8: clearff 0x786d3:$string8: clearff 0x788f4:$string9: emails should be sent to you shortly 0x78df4:$string11: open=Sys.exe 0x785d5:$ver1: PredatorLogger 0x78cd7:$ver3: Predator Pain 0x79ab6:$ver3: Predator Pain 0x79c2b:$ver3: Predator Pain 0x79e76:$ver3: Predator Pain
12.2.WindowsUpdate.exe.4268578.5.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x79afa:$string1: holderwb.txt 0x79b16:$string1: holderwb.txt 0x79c7c:$string3: There is a file attached to this email 0x7a284:$string4: screens\screenshot 0x78613:$string5: Disablelogger 0x785bd:$string6: \pidloc.txt 0x780fd:$string7: clearie 0x786bb:$string7: clearie 0x7810d:$string8: clearff 0x786d3:$string8: clearff 0x788f4:$string9: emails should be sent to you shortly 0x78df4:$string11: open=Sys.exe 0x785d5:$ver1: PredatorLogger 0x78cd7:$ver3: Predator Pain 0x79ab6:$ver3: Predator Pain 0x79c2b:$ver3: Predator Pain 0x79e76:$ver3: Predator Pain
2.2.bpaymentcopy.exe.408949.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
2.2.bpaymentcopy.exe.408949.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
2.2.bpaymentcopy.exe.408949.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
2.2.bpaymentcopy.exe.408949.2.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
2.2.bpaymentcopy.exe.408949.2.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x74db1:$string1: holderwb.txt 0x74dcd:$string1: holderwb.txt 0x74f33:$string3: There is a file attached to this email 0x7553b:$string4: screens\screenshot 0x738ca:$string5: Disablelogger 0x73874:$string6: \pidloc.txt 0x733b4:$string7: clearie 0x73972:$string7: clearie 0x733c4:$string8: clearff 0x7398a:$string8: clearff 0x73bab:$string9: emails should be sent to you shortly 0x740ab:$string11: open=Sys.exe 0x7388c:$ver1: PredatorLogger 0x73f8e:$ver3: Predator Pain 0x74d6d:$ver3: Predator Pain 0x74ee2:$ver3: Predator Pain 0x7512d:$ver3: Predator Pain
2.2.bpaymentcopy.exe.408949.2.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x74db1:$string1: holderwb.txt 0x74dcd:$string1: holderwb.txt 0x74f33:$string3: There is a file attached to this email 0x7553b:$string4: screens\screenshot 0x738ca:$string5: Disablelogger 0x73874:$string6: \pidloc.txt 0x733b4:$string7: clearie 0x73972:$string7: clearie 0x733c4:$string8: clearff 0x7398a:$string8: clearff 0x73bab:$string9: emails should be sent to you shortly 0x740ab:$string11: open=Sys.exe 0x7388c:$ver1: PredatorLogger 0x73f8e:$ver3: Predator Pain 0x74d6d:$ver3: Predator Pain 0x74ee2:$ver3: Predator Pain 0x7512d:$ver3: Predator Pain
12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x767b6:$string1: holderwb.txt 0x767d2:$string1: holderwb.txt 0x76938:$string3: There is a file attached to this email 0x76f40:$string4: screens\screenshot 0x752cf:$string5: Disablelogger 0x75279:$string6: \pidloc.txt 0x74db9:$string7: clearie 0x75377:$string7: clearie 0x74dc9:$string8: clearff 0x7538f:$string8: clearff 0x755b0:$string9: emails should be sent to you shortly 0x75ab0:$string11: open=Sys.exe 0x75291:$ver1: PredatorLogger 0x75993:$ver3: Predator Pain 0x76772:$ver3: Predator Pain 0x768e7:$ver3: Predator Pain 0x76b32:$ver3: Predator Pain
12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x767b6:$string1: holderwb.txt 0x767d2:$string1: holderwb.txt 0x76938:$string3: There is a file attached to this email 0x76f40:$string4: screens\screenshot 0x752cf:$string5: Disablelogger 0x75279:$string6: \pidloc.txt 0x74db9:$string7: clearie 0x75377:$string7: clearie 0x74dc9:$string8: clearff 0x7538f:$string8: clearff 0x755b0:$string9: emails should be sent to you shortly 0x75ab0:$string11: open=Sys.exe 0x75291:$ver1: PredatorLogger 0x75993:$ver3: Predator Pain 0x76772:$ver3: Predator Pain 0x768e7:$ver3: Predator Pain 0x76b32:$ver3: Predator Pain
12.2.WindowsUpdate.exe.4268578.5.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
12.2.WindowsUpdate.exe.4268578.5.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
12.2.WindowsUpdate.exe.4268578.5.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
12.2.WindowsUpdate.exe.4268578.5.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
12.2.WindowsUpdate.exe.4268578.5.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x7b8fa:$string1: holderwb.txt 0x7b916:$string1: holderwb.txt 0x7ba7c:$string3: There is a file attached to this email 0x7c084:$string4: screens\screenshot 0x7a413:$string5: Disablelogger 0x7a3bd:$string6: \pidloc.txt 0x79efd:$string7: clearie 0x7a4bb:$string7: clearie 0x79f0d:$string8: clearff 0x7a4d3:$string8: clearff 0x7a6f4:$string9: emails should be sent to you shortly 0x7abf4:$string11: open=Sys.exe 0x7a3d5:$ver1: PredatorLogger 0x7aad7:$ver3: Predator Pain 0x7b8b6:$ver3: Predator Pain 0x7ba2b:$ver3: Predator Pain 0x7bc76:$ver3: Predator Pain
12.2.WindowsUpdate.exe.4268578.5.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b8fa:$string1: holderwb.txt 0x7b916:$string1: holderwb.txt 0x7ba7c:$string3: There is a file attached to this email 0x7c084:$string4: screens\screenshot 0x7a413:$string5: Disablelogger 0x7a3bd:$string6: \pidloc.txt 0x79efd:$string7: clearie 0x7a4bb:$string7: clearie 0x79f0d:$string8: clearff 0x7a4d3:$string8: clearff 0x7a6f4:$string9: emails should be sent to you shortly 0x7abf4:$string11: open=Sys.exe 0x7a3d5:$ver1: PredatorLogger 0x7aad7:$ver3: Predator Pain 0x7b8b6:$ver3: Predator Pain 0x7ba2b:$ver3: Predator Pain 0x7bc76:$ver3: Predator Pain
6.2.Windows Update.exe.3a2f7e0.2.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
6.2.Windows Update.exe.29db894.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
6.2.Windows Update.exe.29db894.1.raw.unpack	JoeSecurity_PredatorPainRAT	Yara detected PredatorPainRAT	Kevin Breen <kevin@techanarchy.net>
6.2.Windows Update.exe.29db894.1.raw.unpack	RAT_PredatorPain	Detects PredatorPain RAT	Kevin Breen <kevin@techanarchy.net>	0x139c4:$string3: There is a file attached to this email 0xa9928:$string4: screens\screenshot 0x5004:$string5: Disablelogger 0x4f88:$string6: \pidloc.txt 0x512c:$string7: clearie 0x5150:$string8: clearff 0x108b2:$string9: emails should be sent to you shortly 0xab2d2:$string9: emails should be sent to you shortly 0x1d9b34:$string11: open=Sys.exe 0x4fac:$ver1: PredatorLogger 0x10d68:$ver3: Predator Pain 0x13968:$ver3: Predator Pain 0xa94dc:$ver3: Predator Pain 0x1d6edc:$ver3: Predator Pain
6.2.Windows Update.exe.29db894.1.raw.unpack	PredatorPain	unknown	Kevin Breen <kevin@techanarchy.net>	0x139c4:$string3: There is a file attached to this email 0xa9928:$string4: screens\screenshot 0x5004:$string5: Disablelogger 0x4f88:$string6: \pidloc.txt 0x512c:$string7: clearie 0x5150:$string8: clearff 0x108b2:$string9: emails should be sent to you shortly 0xab2d2:$string9: emails should be sent to you shortly 0x1d9b34:$string11: open=Sys.exe 0x4fac:$ver1: PredatorLogger 0x10d68:$ver3: Predator Pain 0x13968:$ver3: Predator Pain 0xa94dc:$ver3: Predator Pain 0x1d6edc:$ver3: Predator Pain
Click to see the 59 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Windows Update.exe, ProcessId: 728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 207.204.50.48, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Roaming\Windows Update.exe, Initiated: true, ProcessId: 728, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49711

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bpaymentcopy.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Avira: detection malicious, Label: HEUR/AGEN.1352223
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Avira: detection malicious, Label: HEUR/AGEN.1352223

Found malware configuration

Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack

Malware Configuration Extractor: HawkEye {"Protocol": "SMTP", "Username": "compensation@britishcrowncourt.net", "Password": "@Hustle007ky1", "Host": "mail.britishcrowncourt.net", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: bpaymentcopy.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: bpaymentcopy.exe

Joe Sandbox ML: detected

Source: bpaymentcopy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: bpaymentcopy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Accessibility.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb4r source: WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Runtime.Remoting.pdbT source: WER8928.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: WindowsUpdate.exe, 00000010.00000002.3047251351.00000000010A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbh source: WER755D.tmp.dmp.20.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: WindowsUpdate.exe, 00000010.00000002.3047251351.0000000001057000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbP source: WER755D.tmp.dmp.20.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER8928.tmp.dmp.9.dr
Source:	Binary string: ?oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: bpaymentcopy.exe, 00000002.00000002.2022046096.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2715381783.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2709145607.0000000003016000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Mysterio\Documents\Visual Studio 2012\Projects\Coronavirus\Coronavirus\obj\Debug\Coronavirus.pdbBSJB source: bpaymentcopy.exe, 00000000.00000002.3342905322.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000005.00000002.3342490521.0000000002FA0000.00000004.08000000.00040000.00000000.sdmp, Windows Update.exe, 00000005.00000002.3342864842.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3341159842.00000000031D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: Accessibility.pdbTz source: WER755D.tmp.dmp.20.dr
Source:	Binary string: System.Xml.ni.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: @o.pdb source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb8S source: WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: WindowsUpdate.exe, 00000010.00000002.3047251351.0000000001088000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >*oVisualBasic.pdb source: WindowsUpdate.exe, 00000010.00000002.2952697080.0000000000D88000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdbH source: WER8928.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: WER8928.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdbAccessibility.dll source: WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER8928.tmp.dmp.9.dr
Source:	Binary string: System.pdb4 source: WER755D.tmp.dmp.20.dr
Source:	Binary string: System.Core.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: nLC:\Windows\Microsoft.VisualBasic.pdb source: WindowsUpdate.exe, 00000010.00000002.2952697080.0000000000D88000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb0_ source: WER8928.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbh source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Mysterio\Documents\Visual Studio 2012\Projects\Coronavirus\Coronavirus\obj\Debug\Coronavirus.pdb source: bpaymentcopy.exe, 00000000.00000002.3342905322.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000005.00000002.3342490521.0000000002FA0000.00000004.08000000.00040000.00000000.sdmp, Windows Update.exe, 00000005.00000002.3342864842.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3341159842.00000000031D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr

Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: Windows Update.exe, 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: Windows Update.exe, 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $jq[autorun]
Source: WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]
Source: WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: [autorun]

Source: global traffic

TCP traffic: 192.168.2.5:49711 -> 207.204.50.48:587

Source: Joe Sandbox View

ASN Name: DEFENSE-NETUS DEFENSE-NETUS

Source: global traffic

TCP traffic: 192.168.2.5:49711 -> 207.204.50.48:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: 75.103.13.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: mail.britishcrowncourt.net

Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: WindowsUpdate.exe, 0000000E.00000002.2908396687.0000000003131000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000010.00000002.3188318027.0000000002C93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo.com/foo
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: bpaymentcopy.exe, 00000002.00000002.2022046096.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000E.00000002.2908396687.0000000003131000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000010.00000002.3188318027.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com/-
Source: Windows Update.exe, 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.DeceptiveEngineering.com/path/logs.php
Source: WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected HawkEye Keylogger

Source: Yara match	File source: 15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.408949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Windows Update.exe.29db894.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Contains functionality to log keystrokes (.Net Source)

Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, Form1.cs

.Net Code: HookKeyboard

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.bpaymentcopy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.bpaymentcopy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.4268578.5.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.4268578.5.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.bpaymentcopy.exe.408949.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 2.2.bpaymentcopy.exe.408949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Windows Update.exe.29db894.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Windows Update.exe.29db894.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects PredatorPain RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PredatorPain Author: Kevin Breen <kevin@techanarchy.net>

Yara detected PredatorPainRAT

Source: Yara match	File source: 15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.408949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Windows Update.exe.29db894.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: bpaymentcopy.exe

PE file has nameless sections

Source: bpaymentcopy.exe	Static PE information: section name:
Source: Windows Update.exe.2.dr	Static PE information: section name:
Source: WindowsUpdate.exe.6.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 0_2_011889F0	0_2_011889F0
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 0_2_01180860	0_2_01180860
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 0_2_0118A8C0	0_2_0118A8C0
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 0_2_01184AE8	0_2_01184AE8
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 0_2_0118897F	0_2_0118897F
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 0_2_01184A57	0_2_01184A57
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 0_2_01184AD8	0_2_01184AD8
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 0_2_01189CB0	0_2_01189CB0
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 0_2_04F90040	0_2_04F90040
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 2_2_02BAC0D8	2_2_02BAC0D8
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 2_2_05346470	2_2_05346470
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 5_2_013B0797	5_2_013B0797
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 5_2_013B89F0	5_2_013B89F0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 5_2_013B0860	5_2_013B0860
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 5_2_013BA8C0	5_2_013BA8C0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 5_2_013B4AE8	5_2_013B4AE8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 5_2_013B4A6A	5_2_013B4A6A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 5_2_013B4AD8	5_2_013B4AD8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 5_2_013B9CB0	5_2_013B9CB0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 5_2_013B9CA0	5_2_013B9CA0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_0275AE28	6_2_0275AE28
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_0275C0D8	6_2_0275C0D8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_0275DAF0	6_2_0275DAF0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_08EEE888	6_2_08EEE888
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_08EEEEA8	6_2_08EEEEA8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_08EE1F68	6_2_08EE1F68
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_018689F0	12_2_018689F0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_0186A849	12_2_0186A849
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_01860860	12_2_01860860
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_01864AE8	12_2_01864AE8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_018689E3	12_2_018689E3
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_0186A8C0	12_2_0186A8C0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_01864AD8	12_2_01864AD8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_01864A57	12_2_01864A57
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_01869CA0	12_2_01869CA0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_01869CB0	12_2_01869CB0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 14_2_017BAE28	14_2_017BAE28
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 14_2_017BC0D8	14_2_017BC0D8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 14_2_017BDD48	14_2_017BDD48
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_01350720	15_2_01350720
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_013589F0	15_2_013589F0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_01350805	15_2_01350805
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_0135A8D0	15_2_0135A8D0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_01354AE8	15_2_01354AE8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_013589E2	15_2_013589E2
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_01350860	15_2_01350860
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_0135A8C0	15_2_0135A8C0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_01354AD8	15_2_01354AD8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_01359CB0	15_2_01359CB0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_01359CA0	15_2_01359CA0
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_00FFC0D8	16_2_00FFC0D8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 16_2_00FFDD48	16_2_00FFDD48

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 2052

Source: bpaymentcopy.exe, 00000000.00000002.3338926906.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs bpaymentcopy.exe
Source: bpaymentcopy.exe, 00000000.00000002.3342905322.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoronavirus.dll8 vs bpaymentcopy.exe
Source: bpaymentcopy.exe, 00000000.00000002.3342905322.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs bpaymentcopy.exe
Source: bpaymentcopy.exe, 00000002.00000002.2022046096.0000000002D01000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs bpaymentcopy.exe
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs bpaymentcopy.exe
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs bpaymentcopy.exe
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs bpaymentcopy.exe
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000490000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.exe4 vs bpaymentcopy.exe

Source: bpaymentcopy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 2.2.bpaymentcopy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 2.2.bpaymentcopy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 12.2.WindowsUpdate.exe.4268578.5.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 12.2.WindowsUpdate.exe.4268578.5.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 2.2.bpaymentcopy.exe.408949.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 2.2.bpaymentcopy.exe.408949.2.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 6.2.Windows Update.exe.29db894.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 6.2.Windows Update.exe.29db894.1.raw.unpack, type: UNPACKEDPE	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain
Source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_PredatorPain date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects PredatorPain RAT, reference = http://malwareconfig.com/stats/PredatorPain
Source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: PredatorPain date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/PredatorPain

Source: bpaymentcopy.exe	Static PE information: Section: V_cv5Ei ZLIB complexity 1.0003175562352014
Source: Windows Update.exe.2.dr	Static PE information: Section: V_cv5Ei ZLIB complexity 1.0003175562352014
Source: WindowsUpdate.exe.6.dr	Static PE information: Section: V_cv5Ei ZLIB complexity 1.0003175562352014

Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, Form1.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, Form1.cs

Base64 encoded string: 'Zl7QdZUnao4Dm7QjvpIm8FarFxCMcubt6hScGyARtcgWXXWkqLdW7Pi5ndNM+DtaAfjAFC+8iRysPjOiMEtmlBbVYl6xX8GxAj0R4mNp63k=', 'nZjafIAad0o0z4VdV5KKsAdE4EpmfQm4JYSROKdhecuTrq3CWgeATz0zGIY2ltmuiVXyvrS2Odt67/kGlgea0Q==', 'o+TXX1f4p+gSbuvb4Z4e9EvdPEKQvcXTEeE28Q81zlYofHgLZ6TEddQtqDC5sL6x/eAO8gPqsr0a/sgPQlsFurtt5//LcRwRH0pZwXRgcU9FUJrhoFevRT78Q2E8Q+IDJXBUQ8grbqzqZ2o4RpVM+g=='

Source: WindowsUpdate.exe, 00000010.00000002.3047251351.0000000001088000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@21/18@2/2

Source: C:\Users\user\Desktop\bpaymentcopy.exe

File created: C:\Users\user\AppData\Roaming\Windows Update.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1524
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess728

Source: C:\Users\user\Desktop\bpaymentcopy.exe

File created: C:\Users\user\AppData\Local\Temp\SysInfo.txt

Jump to behavior

Source: bpaymentcopy.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\bpaymentcopy.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\bpaymentcopy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: bpaymentcopy.exe

ReversingLabs: Detection: 73%

Source: C:\Users\user\Desktop\bpaymentcopy.exe

File read: C:\Users\user\Desktop\bpaymentcopy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bpaymentcopy.exe "C:\Users\user\Desktop\bpaymentcopy.exe"
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process created: C:\Users\user\Desktop\bpaymentcopy.exe "C:\Users\user\Desktop\bpaymentcopy.exe"
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process created: C:\Users\user\Desktop\bpaymentcopy.exe "C:\Users\user\Desktop\bpaymentcopy.exe"
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 2052
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1300
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process created: C:\Users\user\Desktop\bpaymentcopy.exe "C:\Users\user\Desktop\bpaymentcopy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process created: C:\Users\user\Desktop\bpaymentcopy.exe "C:\Users\user\Desktop\bpaymentcopy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: msv1_0.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ntlmshared.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptdll.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: msv1_0.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ntlmshared.dll
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptdll.dll

Source: C:\Users\user\Desktop\bpaymentcopy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\bpaymentcopy.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: bpaymentcopy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: bpaymentcopy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Accessibility.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb4r source: WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Runtime.Remoting.pdbT source: WER8928.tmp.dmp.9.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: WindowsUpdate.exe, 00000010.00000002.3047251351.00000000010A9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbh source: WER755D.tmp.dmp.20.dr
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: WindowsUpdate.exe, 00000010.00000002.3047251351.0000000001057000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbP source: WER755D.tmp.dmp.20.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WER8928.tmp.dmp.9.dr
Source:	Binary string: ?oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: bpaymentcopy.exe, 00000002.00000002.2022046096.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2715381783.0000000008EF0000.00000004.08000000.00040000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2709145607.0000000003016000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Mysterio\Documents\Visual Studio 2012\Projects\Coronavirus\Coronavirus\obj\Debug\Coronavirus.pdbBSJB source: bpaymentcopy.exe, 00000000.00000002.3342905322.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000005.00000002.3342490521.0000000002FA0000.00000004.08000000.00040000.00000000.sdmp, Windows Update.exe, 00000005.00000002.3342864842.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3341159842.00000000031D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: Accessibility.pdbTz source: WER755D.tmp.dmp.20.dr
Source:	Binary string: System.Xml.ni.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: @o.pdb source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.pdb8S source: WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.ni.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Runtime.Remoting.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Configuration.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: WindowsUpdate.exe, 00000010.00000002.3047251351.0000000001088000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >*oVisualBasic.pdb source: WindowsUpdate.exe, 00000010.00000002.2952697080.0000000000D88000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: %%.pdb source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Xml.pdbH source: WER8928.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: WER8928.tmp.dmp.9.dr
Source:	Binary string: mscorlib.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdbAccessibility.dll source: WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Drawing.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Management.pdb source: WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Management.ni.pdb source: WER8928.tmp.dmp.9.dr
Source:	Binary string: System.pdb4 source: WER755D.tmp.dmp.20.dr
Source:	Binary string: System.Core.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: nLC:\Windows\Microsoft.VisualBasic.pdb source: WindowsUpdate.exe, 00000010.00000002.2952697080.0000000000D88000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb0_ source: WER8928.tmp.dmp.9.dr
Source:	Binary string: symbols\dll\mscorlib.pdbLb source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbh source: Windows Update.exe, 00000006.00000002.2715638375.000000000A6DA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Mysterio\Documents\Visual Studio 2012\Projects\Coronavirus\Coronavirus\obj\Debug\Coronavirus.pdb source: bpaymentcopy.exe, 00000000.00000002.3342905322.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000005.00000002.3342490521.0000000002FA0000.00000004.08000000.00040000.00000000.sdmp, Windows Update.exe, 00000005.00000002.3342864842.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3341159842.00000000031D1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WER755D.tmp.dmp.20.dr, WER8928.tmp.dmp.9.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, Form1.cs	.Net Code: IsDotNet System.Reflection.Assembly.Load(byte[])
Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, Form1.cs	.Net Code: run System.Reflection.Assembly.Load(byte[])

Source: bpaymentcopy.exe	Static PE information: section name: V_cv5Ei
Source: bpaymentcopy.exe	Static PE information: section name:
Source: Windows Update.exe.2.dr	Static PE information: section name: V_cv5Ei
Source: Windows Update.exe.2.dr	Static PE information: section name:
Source: WindowsUpdate.exe.6.dr	Static PE information: section name: V_cv5Ei
Source: WindowsUpdate.exe.6.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 0_2_0118B588 push eax; iretd	0_2_0118B589
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 2_2_02BAF490 push esp; iretd	2_2_02BAF491
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 2_2_02BAF4D2 pushad ; iretd	2_2_02BAF4B9
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 2_2_02BAF512 pushfd ; iretd	2_2_02BAF519
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Code function: 2_2_05346CFA pushfd ; retf 0524h	2_2_05346D11
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 5_2_013BB588 push eax; iretd	5_2_013BB589
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_0275F490 push esp; iretd	6_2_0275F491
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_08EE2AE0 push eax; ret	6_2_08EE2AC2
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_08EE2AA8 push eax; ret	6_2_08EE2AB2
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_08EE2AB8 push eax; ret	6_2_08EE2AC2
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_08EE2A98 push eax; ret	6_2_08EE2AA2
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_08EE2A6B push eax; ret	6_2_08EE2A92
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_08EE2A58 push eax; ret	6_2_08EE2A42
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 6_2_08EE2A28 push eax; ret	6_2_08EE2A42
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_0186B588 push eax; iretd	12_2_0186B589
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 14_2_017BAAE0 push 24418B05h; ret	14_2_017BAAF3
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 14_2_017BF513 pushfd ; iretd	14_2_017BF519
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 14_2_017BF490 push esp; iretd	14_2_017BF491
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 15_2_0135B588 push eax; iretd	15_2_0135B589

Source: bpaymentcopy.exe	Static PE information: section name: V_cv5Ei entropy: 7.9997060342549515
Source: Windows Update.exe.2.dr	Static PE information: section name: V_cv5Ei entropy: 7.9997060342549515
Source: WindowsUpdate.exe.6.dr	Static PE information: section name: V_cv5Ei entropy: 7.9997060342549515

Source: C:\Users\user\Desktop\bpaymentcopy.exe	File created: C:\Users\user\AppData\Roaming\Windows Update.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (132).png

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 2888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 5392, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: bpaymentcopy.exe, WindowsUpdate.exe.6.dr, Windows Update.exe.2.dr	Binary or memory string: L'). ONLY 'WINDBG.EXE' OR 'CDB.EXE' ARE SUPPORTED.
Source: bpaymentcopy.exe, WindowsUpdate.exe.6.dr, Windows Update.exe.2.dr	Binary or memory string: WINDBG.EXE
Source: bpaymentcopy.exe, WindowsUpdate.exe.6.dr, Windows Update.exe.2.dr	Binary or memory string: PLEASE EDIT THE PATH TO THE DEBUGGERS (WINDBG.EXE OR CDB.EXE).7
Source: bpaymentcopy.exe, WindowsUpdate.exe.6.dr, Windows Update.exe.2.dr	Binary or memory string: <DEBUGGER>: SUPPORTED DEBUGGERS ARE WINDBG.EXE AND CDB.EXE.

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Memory allocated: D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Memory allocated: 27B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Memory allocated: 2D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Memory allocated: 4D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: 1390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: 30C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: 50C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: 28D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 1840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 51D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 17B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 3130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 5130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 1350000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 2E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 4E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: FF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 2C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 4C60000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\bpaymentcopy.exe TID: 4404	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe TID: 2964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 1852	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 3576	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5012	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5012	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5012	Thread sleep time: -99718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5012	Thread sleep time: -99531s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5012	Thread sleep time: -99339s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5012	Thread sleep time: -99171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5012	Thread sleep time: -99062s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5012	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5012	Thread sleep time: -43199s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 5012	Thread sleep time: -43015s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 2148	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6848	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 99718	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 99531	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 99339	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 99171	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 99062	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 43199	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 43015	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: bpaymentcopy.exe, 00000002.00000002.2020679312.0000000000E36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}W
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: bpaymentcopy.exe, 00000002.00000002.2020679312.0000000000E36000.00000004.00000020.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000E.00000002.2828790811.00000000015C7000.00000004.00000020.00020000.00000000.sdmp, WindowsUpdate.exe, 00000010.00000002.3047251351.00000000010A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Windows Update.exe, 00000006.00000002.2708132026.0000000000A19000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: bpaymentcopy.exe, 00000002.00000002.2113530787.0000000007210000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r&Prod_VMware_SA
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\bpaymentcopy.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\bpaymentcopy.exe

Code function: 0_2_0118D248 CheckRemoteDebuggerPresent,

0_2_0118D248

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\bpaymentcopy.exe

Code function: 0_2_01184AE8 LdrInitializeThunk,

0_2_01184AE8

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\bpaymentcopy.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code contains process injector

Source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, CMemoryExecute.cs	.Net Code: Run contains injection code
Source: 2.2.bpaymentcopy.exe.2d5e0fc.4.raw.unpack, CMemoryExecute.cs	.Net Code: Run contains injection code
Source: 6.2.Windows Update.exe.3126168.0.raw.unpack, CMemoryExecute.cs	.Net Code: Run contains injection code
Source: 6.2.Windows Update.exe.8ef0000.4.raw.unpack, CMemoryExecute.cs	.Net Code: Run contains injection code
Source: 12.2.WindowsUpdate.exe.42fc4dc.2.raw.unpack, CMemoryExecute.cs	.Net Code: Run contains injection code
Source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, CMemoryExecute.cs	.Net Code: Run contains injection code

.NET source code references suspicious native API functions

Source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, CMemoryExecute.cs	Reference to suspicious API methods: VirtualAllocEx((IntPtr)array4[0], intPtr, (uint)(ptr2 + 80), 12288u, 64u)
Source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, CMemoryExecute.cs	Reference to suspicious API methods: NtWriteVirtualMemory((IntPtr)array4[0], intPtr, (IntPtr)ptr5, (uint)(ptr2 + 84), IntPtr.Zero)
Source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, CMemoryExecute.cs	Reference to suspicious API methods: NtSetContextThread((IntPtr)array4[1], (IntPtr)ptr4)
Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, RunPE.cs	Reference to suspicious API methods: ReadProcessMemory(, , ref , 2, ref )
Source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, RunPE.cs	Reference to suspicious API methods: WriteProcessMemory(array[0], , data, , ref )

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Memory written: C:\Users\user\Desktop\bpaymentcopy.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Users\user\AppData\Roaming\Windows Update.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Users\user\AppData\Roaming\WindowsUpdate.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory written: C:\Users\user\AppData\Roaming\WindowsUpdate.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process created: C:\Users\user\Desktop\bpaymentcopy.exe "C:\Users\user\Desktop\bpaymentcopy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process created: C:\Users\user\Desktop\bpaymentcopy.exe "C:\Users\user\Desktop\bpaymentcopy.exe"	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"

Source: C:\Users\user\Desktop\bpaymentcopy.exe	Queries volume information: C:\Users\user\Desktop\bpaymentcopy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Queries volume information: C:\Users\user\Desktop\bpaymentcopy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bpaymentcopy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows Update.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Queries volume information: C:\Users\user\AppData\Roaming\Windows Update.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Users\user\AppData\Roaming\WindowsUpdate.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation

Source: C:\Users\user\Desktop\bpaymentcopy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Windows Update.exe, 00000006.00000002.2713958753.00000000071F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected HawkEye Keylogger

Source: Yara match	File source: 15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.408949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Windows Update.exe.29db894.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected MailPassView

Source: Yara match	File source: 6.2.Windows Update.exe.39b9970.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3f93d46.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.45e7ae.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Windows Update.exe.39b9970.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.408949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2712752940.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bpaymentcopy.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 2888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 5392, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: 6.2.Windows Update.exe.3a2f7e0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.408949.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426f0c1.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.408949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Windows Update.exe.3a2f7e0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: bpaymentcopy.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 2888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WindowsUpdate.exe PID: 5392, type: MEMORYSTR

Remote Access Functionality

Yara detected HawkEye Keylogger

Source: Yara match	File source: 15.2.WindowsUpdate.exe.3f93d46.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.45e7ae.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.406f44.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426f0c1.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.bpaymentcopy.exe.408949.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.426d6bc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.WindowsUpdate.exe.4268578.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Windows Update.exe.29db894.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 Peripheral Device Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	211 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 File and Directory Discovery	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	331 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	41 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
bpaymentcopy.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.AveMaria
bpaymentcopy.exe	100%	Avira	HEUR/AGEN.1352223
bpaymentcopy.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Avira	HEUR/AGEN.1352223
C:\Users\user\AppData\Roaming\Windows Update.exe	100%	Avira	HEUR/AGEN.1352223
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Windows Update.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Windows Update.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.AveMaria
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.AveMaria

Source	Detection	Scanner	Label	Link
http://www.DeceptiveEngineering.com/path/logs.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.britishcrowncourt.net	207.204.50.48	true	true		unknown
75.103.13.0.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.9.dr	false		high
http://www.nirsoft.net/	WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.DeceptiveEngineering.com/path/logs.php	Windows Update.exe, 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	bpaymentcopy.exe, 00000002.00000002.2022046096.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000E.00000002.2908396687.0000000003131000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000010.00000002.3188318027.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://foo.com/foo	WindowsUpdate.exe, 0000000E.00000002.2908396687.0000000003131000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 00000010.00000002.3188318027.0000000002C93000.00000004.00000800.00020000.00000000.sdmp	false		high
http://whatismyipaddress.com/-	bpaymentcopy.exe, 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
207.204.50.48	mail.britishcrowncourt.net	United States		55002	DEFENSE-NETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1566523
Start date and time:	2024-12-02 11:29:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bpaymentcopy.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@21/18@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 195 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.189.173.20
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: bpaymentcopy.exe

Simulations

Behavior and APIs

Time	Type	Description
05:29:53	API Interceptor	1x Sleep call for process: bpaymentcopy.exe modified
05:29:56	API Interceptor	13x Sleep call for process: Windows Update.exe modified
05:31:02	API Interceptor	2x Sleep call for process: WerFault.exe modified
11:30:11	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
11:30:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DEFENSE-NETUS	phish_alert_iocp_v1.4.48 (80).eml	Get hash	malicious	InvoiceScam	Browse	107.162.175.186
	2stage.ps1	Get hash	malicious	Unknown	Browse	206.188.196.37
	2stage.ps1	Get hash	malicious	Unknown	Browse	206.188.196.37
	I_ Ultima richiesta di pagamento finale per Cuzziol beverage s_r_l__.msg	Get hash	malicious	Mint Stealer	Browse	206.188.196.37
	_DRP12938938231_PDF.js	Get hash	malicious	Mint Stealer	Browse	206.188.196.37
	_DRP12938938231_PDF.js	Get hash	malicious	Mint Stealer	Browse	206.188.196.37
	ryOpDCeOHz.ps1	Get hash	malicious	Unknown	Browse	206.188.196.37
	ryOpDCeOHz.ps1	Get hash	malicious	Unknown	Browse	206.188.196.37
	Fdoze89ykv.js	Get hash	malicious	Mint Stealer	Browse	206.188.196.37
	Fdoze89ykv.js	Get hash	malicious	Mint Stealer	Browse	206.188.196.37

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Windows Update.e_67ef924b4c8d0c34ff9852e7fa92ec091c8d53_a7701f3f_439551e8-647b-4809-b1bd-c96247e73b88\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3244266841928185
Encrypted:	false
SSDEEP:	192:4VgTF0r0BU/6a6U+mjZr6YiR1HezuiFnZ24IO8g:mgTFbBU/6aj0TezuiFnY4IO8g
MD5:	DA51C130CA2EF4B7CE6D38E5FD6C2CC2
SHA1:	EC678758A4D4BAA25BDC5C0D24E10D85D26D1282
SHA-256:	625FCA831A8BD77A29E8FB596D90B9B438AB31CE4A5EB6D3D9E87BFA2E66A602
SHA-512:	1587CB6E1D387A5D626AE3F1C11CA0AF10D6DA9D5A1EADA550A786D973324E6AAE9DD7160B89AAD4BD76924635D39BFD814FA54442F1FA7829F95034CF0B8E32
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.6.0.9.0.0.8.2.3.1.5.5.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.6.0.9.0.1.0.1.8.4.6.8.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.9.5.5.1.e.8.-.6.4.7.b.-.4.8.0.9.-.b.1.b.d.-.c.9.6.2.4.7.e.7.3.b.8.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.5.6.c.d.6.8.-.0.6.f.b.-.4.a.6.1.-.9.0.d.8.-.e.4.2.5.e.9.2.a.0.f.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.b.p.a.y.m.e.n.t.c.o.p.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.d.8.-.0.0.0.1.-.0.0.1.4.-.d.2.d.4.-.f.7.2.0.a.5.4.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.f.1.8.9.6.5.2.3.0.b.6.4.f.0.4.0.c.1.e.4.2.2.6.1.1.3.7.b.6.b.f.0.0.0.0.0.0.0.0.!.0.0.0.0.a.8.a.3.4.7.9.6.e.0.5.a.c.4.f.f.1.a.0.b.9.2.b.d.b.b.a.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WindowsUpdate.ex_a8a48848cdd537f5d7a114773494bcb74310219d_c64eec3f_811ffd07-e382-45cb-b647-e69203908424\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0722736296332047
Encrypted:	false
SSDEEP:	192:X4lljWowAT0BU/Sa6U+momzuiFWZ24IO8o:AljxwPBU/SajlzuiFWY4IO8o
MD5:	526B919E679879EE7630A7C4F9406E2B
SHA1:	06EA0055E52FFBF8538692D567352FAD388E7F95
SHA-256:	EA116FB15708D2827AA3257CD20AEBA4035177CECCFF7BD52F75369D01AB8706
SHA-512:	54CD12D85E307CA62AF4667304517F663D28DF36F28BA5057EB29B470AC32ACA2977959A405FF992F6A86031EB2FFAE6840D35065327BD417E1A08F5CA0D1E24
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.6.0.9.0.6.8.6.4.2.1.9.2.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.6.0.9.0.7.3.0.3.2.8.2.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.1.f.f.d.0.7.-.e.3.8.2.-.4.5.c.b.-.b.6.4.7.-.e.6.9.2.0.3.9.0.8.4.2.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.6.1.1.b.b.d.-.5.f.7.9.-.4.1.f.c.-.a.2.4.a.-.f.d.9.e.8.1.f.a.2.c.d.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.n.d.o.w.s.U.p.d.a.t.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.b.p.a.y.m.e.n.t.c.o.p.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.f.4.-.0.0.0.1.-.0.0.1.4.-.d.f.f.d.-.9.c.3.b.a.5.4.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.f.1.8.9.6.5.2.3.0.b.6.4.f.0.4.0.c.1.e.4.2.2.6.1.1.3.7.b.6.b.f.0.0.0.0.0.0.0.0.!.0.0.0.0.a.8.a.3.4.7.9.6.e.0.5.a.c.4.f.f.1.a.0.b.9.2.b.d.b.b.a.e.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER755D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 2 10:31:09 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	248758
Entropy (8bit):	3.6986960177868773
Encrypted:	false
SSDEEP:	1536:0SyXdTtTF9ASVX4XuBojRC6cpN4uE2aOg0KuCDglA+LTgjiOe5tAxSF/y4Ct:0xrAyECp4uEqrKtf+LTguOiy4e
MD5:	B382EDCC9A469A82296FD35547354DFC
SHA1:	E1E8E2531F21043B53315F5FDD7AE6B994392DFF
SHA-256:	CD82D46EE6E7CBF096C12EE16DD64390F70B9C7B9E83999B02D56045194895A5
SHA-512:	65D4ADF5A9D8287996E9C261F3FDFED9334C66E0E4D9743BACBE438C531F1DCBC61914490FF15A0D442E40218056071DC46FA1FD0D5A85E25DFDE4E7F707D683
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......m.Mg....................................$....!......D....K..........`.......8...........T...........`2..V............"...........#..............................................................................eJ.......$......GenuineIntel............T...........O.Mg............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77FE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8456
Entropy (8bit):	3.7008722724996987
Encrypted:	false
SSDEEP:	192:R6l7wVeJFe6T6YSQ6+gmfZiEqprd89b9dsfzfm:R6lXJM6T6Yd6+gmf8Ed9Wfi
MD5:	9BD25D956D7772F4F44C9298057E4072
SHA1:	18EF4E407C9BE82B74CA11A43575BEC81F0284D3
SHA-256:	7D2B741EBE14581184885748CEFD3450CC53245F6A63C608410571775BE03661
SHA-512:	DE76A67A37CC8231EEDD2E5A5ABE8BA3CCBD650F2C55390C1F6F6EB7DB0F4863A94C21CCF99F3AB54FBF344D3DCAC5FA78D6D2CFF7FA63C1E2095FBE51E8D5C0
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER785D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4816
Entropy (8bit):	4.52345964140142
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZvJg77aI9VkFWpW8VYXYm8M4J59L2F9B+q8vP9L3Xu6BDwMvd:uIjfPI7807VnJDL4BKVL37BLvd
MD5:	4ED8744736B3E0283C120DE722FEA92D
SHA1:	F878EE63DDFDDC35232C707D8262344C3922F62D
SHA-256:	2EF7E7CA73D6E3ECA34900B8F492C6E0DA18073B99FFED6EF4E47E5BE54F90C2
SHA-512:	171B05C924AC8CF3A339EFCE14FA64C781D2F91727C5C1A746D05D568A83246773E8FF6DEF7D47BC8054025F5FE665CEB5630CE76A364D5FE2568DEA010F9957
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="613533" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8928.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 2 10:30:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	469883
Entropy (8bit):	3.8144957897561285
Encrypted:	false
SSDEEP:	3072:FmRDdEZUbwkfQXqn2cNdKB67NcAqyFXnz4uEqRryZ1FI9D6LTgJCTIVQqmMPsV:FmdIUsk32cNG6JcfyVz4+2qYTgHb0
MD5:	9104C8AACD2A526AACAB6F7D49A3EC94
SHA1:	C908E491609C15335B0C4FCDBE52C71153A0B138
SHA-256:	147886DAA6C1D92053760F08B4C2A0CE9278A4813DD1AC40501C6D84285CF167
SHA-512:	742C299DCD4EB3C983270986AF20D483A490AAFA2ED6996E7F14C597A8015F2D88D71FC2573BA3D2BA6B98958E0BA40F832E9EA86482036065ABDAC70C6D4B92
Malicious:	false
Preview:	MDMP..a..... .......0.Mg............T...........h&..h.......$....1......$E..:...........`.......8...........T............X..s............1...........3..............................................................................eJ......x4......GenuineIntel............T...........#.Mg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BC9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8434
Entropy (8bit):	3.693437978900866
Encrypted:	false
SSDEEP:	192:R6l7wVeJ6O620i6YVP6ygmfZo9qprP89bMBsfzakm:R6lXJL6O6Yt6ygmfi93M6fzY
MD5:	A3BF07006506234F440D29D2438CFE2E
SHA1:	BF85E76C33A5017AB4EF28CAD6C25A1D7FD6292D
SHA-256:	CA69F865210719005414F889F9ECC9DEFE84FF45C20163EB430B022CC3367D90
SHA-512:	F1739668851EA393B8860E65A2B9ECC805F3EA7E6D687939377DC1B5D7F3EAE5B00A90D5B484F677B183133D8AFF85F800BD5CB67D36C71091D5D523F47B038C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.8.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C18.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4779
Entropy (8bit):	4.461811923246923
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZAJg77aI9VkFWpW8VYmYm8M4JV9W+Fx+q8vx9W2XuyrWd:uIjfUI7807VuJflKrNJrWd
MD5:	06305C863FD75AB2DA7F32501E7CAA20
SHA1:	B176B4F61D28E0C30AB62AAB1893CCAAD4A1F172
SHA-256:	DD5B7B309B04EED57F0F7329B1D4A0D0E01CC2FAF087E8A53B271D57F955876C
SHA-512:	FF3954833C0E7CC4313D65DA5477CE6A39ACED37B92A42C16F538FD648DDE57DD1BC7A18EBC7050EB68D5D23D0A953639C4540B515FF0E429695E9B2D08150B2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="613532" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsUpdate.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.3387892510515025
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4sAmE4Ks:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzeL
MD5:	8C61F9E2B19E0315722C135D70192939
SHA1:	BFC216104805B4183FD0A9153EE0B39076AECCBC
SHA-256:	AFA04F5408E6285A7B01334D40EA524ADB37116790061849F4D6B48D880D93A0
SHA-512:	55CC4879F5AC9C5BDB659D0DC915102B39BC2035CF1C3CADBF3BE6A4447B5613A9D665FC06AD3F461803D04495AAD5EAB0758C02B8F110090FF6F791B80B270D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bpaymentcopy.exe.log

Download File

Process:	C:\Users\user\Desktop\bpaymentcopy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.3387892510515025
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4sAmE4Ks:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzeL
MD5:	8C61F9E2B19E0315722C135D70192939
SHA1:	BFC216104805B4183FD0A9153EE0B39076AECCBC
SHA-256:	AFA04F5408E6285A7B01334D40EA524ADB37116790061849F4D6B48D880D93A0
SHA-512:	55CC4879F5AC9C5BDB659D0DC915102B39BC2035CF1C3CADBF3BE6A4447B5613A9D665FC06AD3F461803D04495AAD5EAB0758C02B8F110090FF6F791B80B270D
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\SysInfo.txt

Download File

Process:	C:\Users\user\Desktop\bpaymentcopy.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.193942707918268
Encrypted:	false
SSDEEP:	3:oNUWJRWHEupC:oNNJAi
MD5:	2C3D3244E652520C0EBC5ACB6A6B2EB1
SHA1:	988BF27CD1E668449FDDB9276A9F9539EA32CB9E
SHA-256:	303EA1C8253A82249CB1AF191A536ED8BD28E3AF00A1FA5B6ECB52ECBC1CD181
SHA-512:	8F7A55D214FEA0687D64B2C591FF913E401DAA855AA2588A274D8EC7CF3406F24D7B3928002E0A810041BB54FBE2D6FE65992C8AADD04C07F7984C6EA2068637
Malicious:	false
Preview:	C:\Users\user\Desktop\bpaymentcopy.exe

C:\Users\user\AppData\Roaming\Windows Update.exe

Download File

Process:	C:\Users\user\Desktop\bpaymentcopy.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	783360
Entropy (8bit):	7.767432012023201
Encrypted:	false
SSDEEP:	12288:LXNrylgwbJqMBSlxaZmvB008Jz1vakTLAJnElBaSP6XQ2lfix4phRDiaZEAmD:MgwkMYxcmUzgkTL2FSPd2ExQhJ
MD5:	5205BE9A501DAE770C6E557B5FDAEEBC
SHA1:	A8A34796E05AC4FF1A0B92BDBBAEDC01E8CEDFA5
SHA-256:	ACA540B3AD20E1FD49EC550107EFF0C164990DE1067A9542DAF615465F82C331
SHA-512:	E7177C8F6562363751DEDF374195ED0C59BA478530BA58E2428A62BA40FBAE73C9DC9F55CDF8890779A9A848C53D6FEDD7BDB9658E995DF7331D8EEA6A05170D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ifFg.............................`... ... ....@.. ....................................@.................................X#..S.... .......................@.......................................................`............... ..H...........V_c.v5EiP.... ......................@....text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B.............`...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Windows Update.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\bpaymentcopy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Windows Update.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	783360
Entropy (8bit):	7.767432012023201
Encrypted:	false
SSDEEP:	12288:LXNrylgwbJqMBSlxaZmvB008Jz1vakTLAJnElBaSP6XQ2lfix4phRDiaZEAmD:MgwkMYxcmUzgkTL2FSPd2ExQhJ
MD5:	5205BE9A501DAE770C6E557B5FDAEEBC
SHA1:	A8A34796E05AC4FF1A0B92BDBBAEDC01E8CEDFA5
SHA-256:	ACA540B3AD20E1FD49EC550107EFF0C164990DE1067A9542DAF615465F82C331
SHA-512:	E7177C8F6562363751DEDF374195ED0C59BA478530BA58E2428A62BA40FBAE73C9DC9F55CDF8890779A9A848C53D6FEDD7BDB9658E995DF7331D8EEA6A05170D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ifFg.............................`... ... ....@.. ....................................@.................................X#..S.... .......................@.......................................................`............... ..H...........V_c.v5EiP.... ......................@....text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B.............`...................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier

Download File

Process:	C:\Users\user\AppData\Roaming\Windows Update.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\pid.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Windows Update.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:kdn:kd
MD5:	D4C2E4A3297FE25A71D030B67EB83BFC
SHA1:	8E6B8A73BCE7324E2B6E4AFA73EE4215B98E9432
SHA-256:	7C3D90003D7D645BE0B5F3782533C198A5D5DEE06870420B4D594976ED857FC3
SHA-512:	052C5360459C741BCD1BE57B40BC17BC6E57974C7196B575FCB66455BB1959D804E461676D2C1A3C1013450EA1C1E92A9D54084A6D27AF70A546BD5CEA37EE05
Malicious:	false
Preview:	728

C:\Users\user\AppData\Roaming\pidloc.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Windows Update.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.414177320667444
Encrypted:	false
SSDEEP:	3:oNUkh4EaKC59KYr4a:oN9aZ534a
MD5:	201BF2179D431C7E3205E5F410DCDB59
SHA1:	3F774846910F70FC1BCC69DE05E8F9EA4D893F34
SHA-256:	FBB871739943E63027102EF9DEECDFC261F94DD3FBB06087772EF705F182D13D
SHA-512:	0047D87CC9E2C50FB2217A4F1200973B575D30195BE7DF04E2F6B494350178568338FAA802DBE41AA47EC64C5A5699AC66B88D8C821CF2DD1F0EF1B93446F0E4
Malicious:	false
Preview:	C:\Users\user\AppData\Roaming\Windows Update.exe

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421885934482715
Encrypted:	false
SSDEEP:	6144:mSvfpi6ceLP/9skLmb0OT3WSPHaJG8nAgeMZMMhA2fX4WABlEnN90uhiTw:FvloT3W+EZMM6DFyz03w
MD5:	08BC5B2231C78559A4AA729E11606D24
SHA1:	7DC06C886E4FE7B15B68EA06278DC5089824EA86
SHA-256:	420CEB689769333CC5D2B640B39A93D7D006D74E27030D6E0E3718ECBA42AA0B
SHA-512:	BDA59E97144FE871AAFD5916619EA807D76AC7194EA6324D33728BADCB61AE01AA67BE19EB9E99D187B0F0D9C3EC0BA5AEE6EF1AF80E39B151FAA8EF975EF243
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..@(.D...............................................................................................................................................................................................................................................................................................................................................xW.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.767432012023201
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	bpaymentcopy.exe
File size:	783'360 bytes
MD5:	5205be9a501dae770c6e557b5fdaeebc
SHA1:	a8a34796e05ac4ff1a0b92bdbbaedc01e8cedfa5
SHA256:	aca540b3ad20e1fd49ec550107eff0c164990de1067a9542daf615465f82c331
SHA512:	e7177c8f6562363751dedf374195ed0c59ba478530ba58e2428a62ba40fbae73c9dc9f55cdf8890779a9a848c53d6fedd7bdb9658e995df7331d8eea6a05170d
SSDEEP:	12288:LXNrylgwbJqMBSlxaZmvB008Jz1vakTLAJnElBaSP6XQ2lfix4phRDiaZEAmD:MgwkMYxcmUzgkTL2FSPd2ExQhJ
TLSH:	35F4F19972A1758DE863C6718D744D7056233DA9833B820B609F395F6BBF2439E207B3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ifFg.............................`... ... ....@.. ....................................@................................

File Icon


Icon Hash:	0fd88dc89ea7861b

Static PE Info

General

Entrypoint:	0x4c600a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67466669 [Wed Nov 27 00:23:05 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004C6000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa2358	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x10ee8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc6000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0xa2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
V_cv5Ei	0x2000	0x9e550	0x9e600	897f1e5e7b13fe005bf00094cd8317b7	False	1.0003175562352014	data	7.9997060342549515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0xa2000	0xf5b0	0xf600	43f3f6f2592b49e2e2dc5ae689575496	False	0.32899834857723576	data	5.055454240221469	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x10ee8	0x11000	bfa0907edb9a6e2a322fa5c96e2c9190	False	0.15221449908088236	data	3.8727140961072473	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0xc	0x200	d7fa82ef30ede6d047e402cb61c2f9dc	False	0.044921875	data	0.09262353601004472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xc6000	0x10	0x200	f7d3a249690ab70304b3da037c414aaa	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb2130	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m	0.14468236129184905
RT_GROUP_ICON	0xc2958	0x14	data	1.0
RT_VERSION	0xc296c	0x390	data	0.3980263157894737
RT_MANIFEST	0xc2cfc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 11:30:07.712460041 CET	49711	587	192.168.2.5	207.204.50.48
Dec 2, 2024 11:30:07.832611084 CET	587	49711	207.204.50.48	192.168.2.5
Dec 2, 2024 11:30:07.832736015 CET	49711	587	192.168.2.5	207.204.50.48
Dec 2, 2024 11:30:08.976697922 CET	587	49711	207.204.50.48	192.168.2.5
Dec 2, 2024 11:30:09.051872015 CET	49711	587	192.168.2.5	207.204.50.48
Dec 2, 2024 11:31:03.461826086 CET	49711	587	192.168.2.5	207.204.50.48
Dec 2, 2024 11:31:03.581962109 CET	587	49711	207.204.50.48	192.168.2.5
Dec 2, 2024 11:31:03.793986082 CET	587	49711	207.204.50.48	192.168.2.5
Dec 2, 2024 11:31:03.848870039 CET	49711	587	192.168.2.5	207.204.50.48
Dec 2, 2024 11:31:04.858228922 CET	49711	587	192.168.2.5	207.204.50.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2024 11:29:59.748068094 CET	60765	53	192.168.2.5	1.1.1.1
Dec 2, 2024 11:29:59.885968924 CET	53	60765	1.1.1.1	192.168.2.5
Dec 2, 2024 11:30:06.867222071 CET	53283	53	192.168.2.5	1.1.1.1
Dec 2, 2024 11:30:07.548091888 CET	53	53283	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 2, 2024 11:29:59.748068094 CET	192.168.2.5	1.1.1.1	0x4a03	Standard query (0)	75.103.13.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Dec 2, 2024 11:30:06.867222071 CET	192.168.2.5	1.1.1.1	0xea08	Standard query (0)	mail.britishcrowncourt.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 2, 2024 11:29:59.885968924 CET	1.1.1.1	192.168.2.5	0x4a03	Name error (3)	75.103.13.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Dec 2, 2024 11:30:07.548091888 CET	1.1.1.1	192.168.2.5	0xea08	No error (0)	mail.britishcrowncourt.net		207.204.50.48	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 2, 2024 11:30:08.976697922 CET	587	49711	207.204.50.48	192.168.2.5	220 mailpod.hostingplatform.com ESMTP
Dec 2, 2024 11:31:03.461826086 CET	49711	587	192.168.2.5	207.204.50.48	EHLO 878411
Dec 2, 2024 11:31:03.793986082 CET	587	49711	207.204.50.48	192.168.2.5	250-mailpod.hostingplatform.com 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 65000000 250 AUTH LOGIN PLAIN CRAM-MD5

Target ID:	0
Start time:	05:29:53
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\bpaymentcopy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bpaymentcopy.exe"
Imagebase:	0x560000
File size:	783'360 bytes
MD5 hash:	5205BE9A501DAE770C6E557B5FDAEEBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:29:53
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\bpaymentcopy.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bpaymentcopy.exe"
Imagebase:	0x110000
File size:	783'360 bytes
MD5 hash:	5205BE9A501DAE770C6E557B5FDAEEBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:29:53
Start date:	02/12/2024
Path:	C:\Users\user\Desktop\bpaymentcopy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bpaymentcopy.exe"
Imagebase:	0x950000
File size:	783'360 bytes
MD5 hash:	5205BE9A501DAE770C6E557B5FDAEEBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: PredatorPain, Description: unknown, Source: 00000002.00000002.2020474411.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:29:54
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\Windows Update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windows Update.exe"
Imagebase:	0xdd0000
File size:	783'360 bytes
MD5 hash:	5205BE9A501DAE770C6E557B5FDAEEBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	05:29:55
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\Windows Update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windows Update.exe"
Imagebase:	0x510000
File size:	783'360 bytes
MD5 hash:	5205BE9A501DAE770C6E557B5FDAEEBC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000006.00000002.2712752940.0000000003A2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000006.00000002.2712752940.00000000039B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: PredatorPain, Description: unknown, Source: 00000006.00000002.2709145607.00000000029B1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:30:07
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 2052
Imagebase:	0x410000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	05:30:21
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Imagebase:	0xf50000
File size:	783'360 bytes
MD5 hash:	5205BE9A501DAE770C6E557B5FDAEEBC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: PredatorPain, Description: unknown, Source: 0000000C.00000002.3359110755.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	05:30:24
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Imagebase:	0x360000
File size:	783'360 bytes
MD5 hash:	5205BE9A501DAE770C6E557B5FDAEEBC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:30:25
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Imagebase:	0x7ff6068e0000
File size:	783'360 bytes
MD5 hash:	5205BE9A501DAE770C6E557B5FDAEEBC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:30:32
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Imagebase:	0xa80000
File size:	783'360 bytes
MD5 hash:	5205BE9A501DAE770C6E557B5FDAEEBC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PredatorPainRAT, Description: Yara detected PredatorPainRAT, Source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: RAT_PredatorPain, Description: Detects PredatorPain RAT, Source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: PredatorPain, Description: unknown, Source: 0000000F.00000002.3362055770.0000000003F58000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	05:30:39
Start date:	02/12/2024
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Imagebase:	0x930000
File size:	783'360 bytes
MD5 hash:	5205BE9A501DAE770C6E557B5FDAEEBC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:31:03
Start date:	02/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Imagebase:
File size:	1'173'928 bytes
MD5 hash:	D881DE17AA8F2E2C08CBB7B265F928F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	05:31:07
Start date:	02/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1300
Imagebase:	0x410000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.1%
Total number of Nodes:	155
Total number of Limit Nodes:	3

Executed Functions

Function 01184AE8 Relevance: 18.8, APIs: 1, Strings: 8, Instructions: 3086
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01184E7D

Strings

abcdefghijklmnopqrstuvwxyz1234567890, xrefs: 01184B17
P V, xrefs: 01184F55
U, xrefs: 01185143
F, xrefs: 0118510D
., xrefs: 0118521F
-, xrefs: 0118511B
(, xrefs: 01185139
(, xrefs: 01185125

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: InitializeThunk
String ID: abcdefghijklmnopqrstuvwxyz1234567890$($($-$.$F$P V$U
API String ID: 2994545307-3984614173
Opcode ID: b84671594912ac99732c1985e1f25fe066c1f458a04bc8a258d66ba0b5ee189c
Instruction ID: 31b2c96a5fd03d00a0568059d1d930049b8ef574c64dc528eae788f0283dc16f
Opcode Fuzzy Hash: b84671594912ac99732c1985e1f25fe066c1f458a04bc8a258d66ba0b5ee189c
Instruction Fuzzy Hash: 6B532C74A402188FCB54DB69DD94B9DBBFABF88300F5085D9E809AB369DA305F84CF45

Function 01184A57 Relevance: 18.6, APIs: 1, Strings: 8, Instructions: 2804
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01184E7D

Strings

abcdefghijklmnopqrstuvwxyz1234567890, xrefs: 01184B17
P V, xrefs: 01184F55
U, xrefs: 01185143
F, xrefs: 0118510D
., xrefs: 0118521F
-, xrefs: 0118511B
(, xrefs: 01185139
(, xrefs: 01185125

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: InitializeThunk
String ID: abcdefghijklmnopqrstuvwxyz1234567890$($($-$.$F$P V$U
API String ID: 2994545307-3984614173
Opcode ID: 6d4703ae5ddb5d289e818f40c70c3da5daefedbae4179a93a1d529cd6c55afe5
Instruction ID: 11f585e986925d78ead163c48d5924d4d31a5aebc62a369a8be12fe2e24b74dc
Opcode Fuzzy Hash: 6d4703ae5ddb5d289e818f40c70c3da5daefedbae4179a93a1d529cd6c55afe5
Instruction Fuzzy Hash: 20430C74A402188FCB54DB69DD94B9DB7FABF88300F5485D9E809AB369DA306F84CF44

Function 01184AD8 Relevance: 18.5, APIs: 1, Strings: 8, Instructions: 2776
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01184E7D

Strings

abcdefghijklmnopqrstuvwxyz1234567890, xrefs: 01184B17
P V, xrefs: 01184F55
U, xrefs: 01185143
F, xrefs: 0118510D
., xrefs: 0118521F
-, xrefs: 0118511B
(, xrefs: 01185139
(, xrefs: 01185125

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: InitializeThunk
String ID: abcdefghijklmnopqrstuvwxyz1234567890$($($-$.$F$P V$U
API String ID: 2994545307-3984614173
Opcode ID: 667fe0d3e7e861402707fe475a56348b3099397b2e4955112a9320e9ceda02ec
Instruction ID: 91082a73cd9c9fa76116c990f424b8678c8a0e7d978eed16f8e498ecce4220cc
Opcode Fuzzy Hash: 667fe0d3e7e861402707fe475a56348b3099397b2e4955112a9320e9ceda02ec
Instruction Fuzzy Hash: 1B430B74A402188FCB54DB69DD94B9DB7FABF88300F5485D9E809AB369DA306F84CF44

Function 01180860 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 434
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01180D83

Strings

@, xrefs: 01180C88

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: a3bbd00f84bdc2915b5a86e37d6792818f5199be594956d1df8a576b657e30e8
Instruction ID: 426c0c051a5d7e7d1efeb838764ba4aef002f027bc3b295831b58a601ac8a657
Opcode Fuzzy Hash: a3bbd00f84bdc2915b5a86e37d6792818f5199be594956d1df8a576b657e30e8
Instruction Fuzzy Hash: 20020370E002099FDB58DF98C591AADBBB2FF49210F64819AE819EB205D374ED85CF91

Function 011889F0 Relevance: 1.8, Strings: 1, Instructions: 540
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pnq, xrefs: 01188E09

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID:
String ID: pnq
API String ID: 0-1150273632
Opcode ID: da5c33cb7103dda352b213ba596e14539e07351d9228802a972c1dc7125da2ca
Instruction ID: e20ecf1f44e6f0b746d04df02c150bcc3cfeac351040c1118764c35b2d9400b0
Opcode Fuzzy Hash: da5c33cb7103dda352b213ba596e14539e07351d9228802a972c1dc7125da2ca
Instruction Fuzzy Hash: 5B32E275A00218DFDB29DF68C944E99BBB2FF49304F1580E9E609AB361DB319E91CF50

Function 0118D248 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0118D2B6

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 68b074e940dc151a2aa7d224692be285b77ee9ee03cd66e30bffc30e842ec55a
Instruction ID: a1bc6bb1c9ca3af7c77e3df06b7c61aba0e4441a3733ec2d8ce65de43edf7082
Opcode Fuzzy Hash: 68b074e940dc151a2aa7d224692be285b77ee9ee03cd66e30bffc30e842ec55a
Instruction Fuzzy Hash: 0411E7B1D003098EDB14DFAAC5456AEFBF5EF49320F54842AD519A7250CB78A944CFA1

Function 04F90040 Relevance: .9, Instructions: 881COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3366023228.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 731b6e78d74903c87ca0c85b0fc07170cdc8085147cdf4f5d20d07376e596573
Instruction ID: c6d3555653e17e93133ae0225e86638d9bebfbb6e80a7d5fcc6bcfd82abcb925
Opcode Fuzzy Hash: 731b6e78d74903c87ca0c85b0fc07170cdc8085147cdf4f5d20d07376e596573
Instruction Fuzzy Hash: CE927D74E01229CFEB64DF69C984BDDBBB1AB59314F1081EAA90DA7251DB309E81CF50

Function 0118A8C0 Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b27d11b2d1f07a77909a4a519ba7d10d6f8af2986d7a065a5ca2974efc0f4814
Instruction ID: dc37ae39e08000aed12fe8e9956c1f76fa3bec1ee4f25c659b30ff78a86f5108
Opcode Fuzzy Hash: b27d11b2d1f07a77909a4a519ba7d10d6f8af2986d7a065a5ca2974efc0f4814
Instruction Fuzzy Hash: 0542A678E44229CBDB68DF69D984BDDBBB2BF49300F1095A9D909A7390DB705E81CF10

Function 0118897F Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ce8c0e61f613ade995e527fe8ee478fa93174dca7e3508a4dd5c6a39031bd7
Instruction ID: e4ee30025dd6bafa8c8887a958085e1e18bcb67b10735ee947fdbd96f1508375
Opcode Fuzzy Hash: 87ce8c0e61f613ade995e527fe8ee478fa93174dca7e3508a4dd5c6a39031bd7
Instruction Fuzzy Hash: 55613A75E052588FDB19CF6AD840AC9FBB2EF99300F54C1EAD409AB265EB305A85CF11

Function 0118EC7D Relevance: 1.8, APIs: 1, Instructions: 277
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0118EEBE

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d91a642ceabdc22f31a5cef4720c56ce93813bf0f951be775202d7b3a67e0294
Instruction ID: 69fe15be53c167a4e528662a55daa9f7c6f806830bf74a62b9b15385c17decd5
Opcode Fuzzy Hash: d91a642ceabdc22f31a5cef4720c56ce93813bf0f951be775202d7b3a67e0294
Instruction Fuzzy Hash: 6BB18C71D01219CFEB24EFACC8407EEBBB2BF49310F148569E819A7290DB749985CF91

Function 0118EC88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0118EEBE

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9d449e45a2be36b7da66b16e7a7a17bd0b80192b9b7ea985735d2430b0b0dc56
Instruction ID: d79966434711a4028f883f0ba7978307f22f1a884ef70a7497817b8c9557bc02
Opcode Fuzzy Hash: 9d449e45a2be36b7da66b16e7a7a17bd0b80192b9b7ea985735d2430b0b0dc56
Instruction Fuzzy Hash: F4917C71D01219DFEB28EF6CC8407DDBBB2BF49310F1485A9E819A7290DB749985CF92

Function 0118D5F0 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(00000000,?), ref: 0118D5A8

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: d6a46a0c7242c3fdb17041e50c6fb7e1d0655ce3ce4084f605f27cd2af6728fc
Instruction ID: 09c21278f5f2ff6ae42687cceb1377eda8f3c581ca48448607774e9d5ac6434b
Opcode Fuzzy Hash: d6a46a0c7242c3fdb17041e50c6fb7e1d0655ce3ce4084f605f27cd2af6728fc
Instruction Fuzzy Hash: 0D51E275E002198FDF08EFEAD8446DEBBF2AF99314F10C02AD519AB294DB345945CFA1

Function 0118E9F8 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0118EA90

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 61ece0c7470327d228a44ebb6c0f25c32d4152a2f42bab0c5ddafe04be2e68e0
Instruction ID: 9cd764bf48ad14daf8df539850bc7b82c41adb8c8cbbc40f858132cbcb501890
Opcode Fuzzy Hash: 61ece0c7470327d228a44ebb6c0f25c32d4152a2f42bab0c5ddafe04be2e68e0
Instruction Fuzzy Hash: E32146B19003099FDB24DFAAC881BEEBBF5FF48310F10842AE919A7250C7789545CFA0

Function 0118EA00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0118EA90

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 078d6fa992d32cf80778dedc91999cd3f38d6c983000b13dba313aee2b9da778
Instruction ID: d83a61ca02c083a00e8d6cbf692fdd56b75271b026f583848dbcc126961c7dab
Opcode Fuzzy Hash: 078d6fa992d32cf80778dedc91999cd3f38d6c983000b13dba313aee2b9da778
Instruction Fuzzy Hash: E42127B19003099FDB14DFAAC885BEEBBF5FF48310F10842AE919A7250D7789944CFA0

Function 0118E860 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0118E8E6

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7978b58cb2864406900fc3e120b666eac578096b95d75fe706eef2ad44f130e4
Instruction ID: a4961746e716ad57e4c355ece1d847a6e5939ee969c0150e0f595f316a338444
Opcode Fuzzy Hash: 7978b58cb2864406900fc3e120b666eac578096b95d75fe706eef2ad44f130e4
Instruction Fuzzy Hash: AC2137B1D002098FDB54DFAAC5857EEBBF4EF49310F54842AD559A7240CB789585CFA0

Function 0118EAE9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0118EB70

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: dd66ef0e2721c50398455895be14e0494c16b13ad380c114c429a8d9972a0d37
Instruction ID: 6aef71aecadd2ee9f96fc1950417227a27a5cd06a7acab66641e7fd1836ac02c
Opcode Fuzzy Hash: dd66ef0e2721c50398455895be14e0494c16b13ad380c114c429a8d9972a0d37
Instruction Fuzzy Hash: A52145B1C002499FDB20DFAAC885AEEFBF5FF48310F10842AE559A3250C7789544CFA0

Function 0118E868 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0118E8E6

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 030bd74b35b3a000ad188ea40e6c73bce7d3c089a99c9cb16575e00bb3d28b17
Instruction ID: 9a8eace56e00d307fbc475a4ad370d075c954b23be7a83e5e1223c21f34c0f93
Opcode Fuzzy Hash: 030bd74b35b3a000ad188ea40e6c73bce7d3c089a99c9cb16575e00bb3d28b17
Instruction Fuzzy Hash: AB2138B1D003098FDB14DFAAC4857AEBBF4EF49310F54C42AD519A7240CB78A944CFA0

Function 0118EAF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0118EB70

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 45f21e602be151b7d9ab35a11268e1576bb42e333e3f7c87be86cf930d5ef44a
Instruction ID: ea69f4739af1a21df095677a77b529282159697c57c56b7f53045d783d14cba2
Opcode Fuzzy Hash: 45f21e602be151b7d9ab35a11268e1576bb42e333e3f7c87be86cf930d5ef44a
Instruction Fuzzy Hash: E32128B1C003499FCB10DFAAC841AEEBBF5FF48310F50842AE519A7250C7789540CBA0

Function 0118D528 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000,?), ref: 0118D5A8

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 7c573939e6716ff7c84c981c1434d74a3a3659c51aa72dd142c399179515aed8
Instruction ID: 731240a77fa52f6a53c915a175d150f11cf031735e0f23872ccef7fd94c4b51a
Opcode Fuzzy Hash: 7c573939e6716ff7c84c981c1434d74a3a3659c51aa72dd142c399179515aed8
Instruction Fuzzy Hash: A82137B1D042098FDB14DFAAC9457EEBBF5AF88310F14842AD419A7290CB799945CFA0

Function 0118D241 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0118D2B6

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 1dcf7c1add6cb5e12a06815bedf391050a0ecc50d77124488d811f841ab857eb
Instruction ID: 1326113b553a87d97c9d903a1f6d6acfa79f87581f718c8ac2c00693fb99c5fb
Opcode Fuzzy Hash: 1dcf7c1add6cb5e12a06815bedf391050a0ecc50d77124488d811f841ab857eb
Instruction Fuzzy Hash: 6C21F7B1D003098FDB14DFAAC484A9EFBF5FF49320F54842AD419A7250DB78A944CFA1

Function 0118D530 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000,?), ref: 0118D5A8

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 9b991830b135275f68eb8337fe6b23fd90d08b303d929e041bed2d2d7b732410
Instruction ID: 7c52d178f5fbc5bbc53ffe6fbdcf05816bfc910f37e8bb94fb8d11766815ffd4
Opcode Fuzzy Hash: 9b991830b135275f68eb8337fe6b23fd90d08b303d929e041bed2d2d7b732410
Instruction Fuzzy Hash: D72115B1D002098FDB14DFAAC9457AEBBF5AF88310F14842AD415A7290CB79A945CFA1

Function 0118E938 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0118E9AE

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 27216614a849d4a310f63a727dbbaaa5c9884fdbcbd760f4b92932e2ccabdd93
Instruction ID: fb78a4cbbbbc419e92972d47c093bbd35e88647325dec31033214204be909728
Opcode Fuzzy Hash: 27216614a849d4a310f63a727dbbaaa5c9884fdbcbd760f4b92932e2ccabdd93
Instruction Fuzzy Hash: 47115971D002499FDB24DFAAC8456EEBFF5EF88320F108419E559A7250C7799545CFA0

Function 01180D10 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01180D83

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8581ab4e71669a7dc27bb8285f67e8d49216727e7abeb4172bd5e851446ea1ba
Instruction ID: 66ad04d5085f6abe8634a649136215a2b5faa9b36337855447517003014820c9
Opcode Fuzzy Hash: 8581ab4e71669a7dc27bb8285f67e8d49216727e7abeb4172bd5e851446ea1ba
Instruction Fuzzy Hash: 2621E4B59002499FCB10DF9AC584BDEFBF9FF48320F10842AE958A7250D378A644CFA1

Function 0118E940 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0118E9AE

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1fa715bb8700933f6b515aa0aac4ac435e3dffefe0e7590c1bcab38bc6055df7
Instruction ID: 48b6a7478bb7e735734cfd51cf3a88f7eb12eae212410a52ad0ba523108c5b94
Opcode Fuzzy Hash: 1fa715bb8700933f6b515aa0aac4ac435e3dffefe0e7590c1bcab38bc6055df7
Instruction Fuzzy Hash: 90114971D002499FCB14DFAAC845AEFBFF5EF88320F148419E519A7250CB79A550CFA1

Function 0118E7B1 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0118E81A

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: aa7de17e23db7153919aca4b70cbaf519904c671b06b0d917ed5bd4e0e98e99d
Instruction ID: 9ffca3c92bb8becd9296f233e1dad2f3d04704fbd293c5fa0055c1590894504b
Opcode Fuzzy Hash: aa7de17e23db7153919aca4b70cbaf519904c671b06b0d917ed5bd4e0e98e99d
Instruction Fuzzy Hash: F91146B1D002498FDB24DFAAC4457EEFBF4EF88320F14841AD519A7650C778A585CF94

Function 0118E7B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0118E81A

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 77b8e27da09d5b16857ce3a6d9b7e30b82e2e9d46b1362072a5ce66dc14b5274
Instruction ID: ef49d23626688e118e93fb4e3059068ecb346418bc6d616e958a07954ff3eff9
Opcode Fuzzy Hash: 77b8e27da09d5b16857ce3a6d9b7e30b82e2e9d46b1362072a5ce66dc14b5274
Instruction Fuzzy Hash: 01113AB1D003488FDB24DFAAC4457AEFBF5EF89320F148419D519A7250CB79A544CFA4

Function 0118A884 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0118D367

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 88fa613df03b510abea1af6c6cb5b512be7aa477c3e92effd6efef9655c0fb10
Instruction ID: 9804e5274fc5d3589450330ee646518e92d8e66a94f5369ad7cdbac6a8657ebe
Opcode Fuzzy Hash: 88fa613df03b510abea1af6c6cb5b512be7aa477c3e92effd6efef9655c0fb10
Instruction Fuzzy Hash: 0D1106B5804349CFCB14DF9AD544B9EFBF4EB49310F10845AD519A7250C774A944CFA5

Function 0118D300 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0118D367

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: dde8eafa549d73f0487dd0571a2adadcf2fe2582c0ae96719f1b3de2c8cec21d
Instruction ID: ab30cb60baf5da6434471f861477b731c7aa5984d7df97ea4f6d90ef1e9430b4
Opcode Fuzzy Hash: dde8eafa549d73f0487dd0571a2adadcf2fe2582c0ae96719f1b3de2c8cec21d
Instruction Fuzzy Hash: 0711F2B5904249CFCB10DF9AE484BEEBBF4EF49714F20845AD518A7650C378A944CFA1

Function 00B2D01C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338885396.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01806b6580733fc10f8f7e0a2da23294ae0baf6d9626b84d93662831100ee1c6
Instruction ID: d37a0b82ddca90383e7c6ed07b5f44b8386072fc65463e578a6d7f03fd1078a0
Opcode Fuzzy Hash: 01806b6580733fc10f8f7e0a2da23294ae0baf6d9626b84d93662831100ee1c6
Instruction Fuzzy Hash: E02101716042409FCB14DF24E5D4F27BBA5FB88714F20C6ADE90D4B2A5C33AD807C662

Function 00B2D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3338885396.0000000000B2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b2d000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0ff6b08069e97fd05f33cc3a50cabfcbae37e6b7b199a96b6475edea31890ad
Instruction ID: b74cd9663c668599b8d0ba8d0e309bc954c10dae5e45b9aec542610d66c3cd19
Opcode Fuzzy Hash: f0ff6b08069e97fd05f33cc3a50cabfcbae37e6b7b199a96b6475edea31890ad
Instruction Fuzzy Hash: C721C3755083C08FC702CF20D594715BFB1FB46314F28C5EAD8498B6A3C33A980ACB62

Function 04F90F6F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3366023228.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf36eeafa6efe46eb5dd578733a4d25f618426394b2774b379405250b68b778
Instruction ID: 365dec7528d25e19e1739aef07e55bf739c935f10f67699a09f4342934267ef9
Opcode Fuzzy Hash: cbf36eeafa6efe46eb5dd578733a4d25f618426394b2774b379405250b68b778
Instruction Fuzzy Hash: 6F119D78E01228CFEFA0DF64D848BD9B7B0AB59311F0094A9D50DA7250DB345A848F51

Function 04F91200 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3366023228.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492c7b17fd3ad426154bb7880ef1fd999716c81eff310573d9fb41825fdce1b1
Instruction ID: 5020bd957b22a2a16b934abbe3f63b60c6e27f1f30c834f154d5bdf140f2e16f
Opcode Fuzzy Hash: 492c7b17fd3ad426154bb7880ef1fd999716c81eff310573d9fb41825fdce1b1
Instruction Fuzzy Hash: 03F0A734A442446FEB09DB98D890AA8BF72DB55318F2482EA98059B3D3D6329943DB45

Function 02910561 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3342795684.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c468d1216cde06419113a54099f6d5c6cf0f2a208495e8b92ad19b3780d130a6
Instruction ID: 1fbc15a3b344beb117eeec78b8e43c162c4aff0d246d8eea3c80c460af45c955
Opcode Fuzzy Hash: c468d1216cde06419113a54099f6d5c6cf0f2a208495e8b92ad19b3780d130a6
Instruction Fuzzy Hash: 1BF0346454E3C58FC763C778C8556987FB09F0B220B1A02CBD990CF2F3D2694A59E752

Function 02910AA5 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3342795684.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb1a8590f8462d42d5425754cd3081bdced74acd8a23bc58347a4d47005ef37
Instruction ID: 1640d462b124ef9444125dafda4ae32e6a4261b97d8acccb64492fbf51fb155a
Opcode Fuzzy Hash: 2bb1a8590f8462d42d5425754cd3081bdced74acd8a23bc58347a4d47005ef37
Instruction Fuzzy Hash: 49E09A7080E3C49FC71797B454A92E87F358F23218F2A00DAC884AB2A3C73A0E56C752

Function 02910580 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3342795684.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbb5490a171df5fcc10e29a420f1834139c1f74815812d1e33ef51cacb47603d
Instruction ID: 6de4086041b9f609e51d1d68d9a5d7c15f61282f265300ddd2c095ae15e0a4b7
Opcode Fuzzy Hash: cbb5490a171df5fcc10e29a420f1834139c1f74815812d1e33ef51cacb47603d
Instruction Fuzzy Hash: 10E0B678911208DFCB44EFA9D58569CBFF4AB08215F6040E9D90497360E6319A90DB81

Function 04F91438 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3366023228.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01382f8608e14a74b00068cc3d49a493bf594d525854cdcfa06745ba276fef99
Instruction ID: 4db576d000f4b5b5afd464e8e488f4fadf4c205f0a5acca0faf2320f9b4072b3
Opcode Fuzzy Hash: 01382f8608e14a74b00068cc3d49a493bf594d525854cdcfa06745ba276fef99
Instruction Fuzzy Hash: D8D05E34901108EFCB04DF98EA81A5AB7F8EB99315F208098D80847391DB32AE12DBD1

Function 04F9143A Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3366023228.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89c2c506e3e28b364eb449c1cc111ed5147a1fe1d069f4e00edfea905b85947
Instruction ID: f500e32ad77238917d183c88f24ca526a4fd5267b481d466a0af4b69c917821d
Opcode Fuzzy Hash: a89c2c506e3e28b364eb449c1cc111ed5147a1fe1d069f4e00edfea905b85947
Instruction Fuzzy Hash: 27D05E34901004DFCB04DF58EA80A69B7F4EB99315F208198D80847390C7329E13DB90

Function 02910AC0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3342795684.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Offset: 02910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2910000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d350775ce3fdb867c283ffaccfec457a6dccd3cd2a90056cec05949bbf6b15
Instruction ID: e35e9e27bdd32753bc62ebdef0b54f1929f099674a5438be6cac39d9e4027e0e
Opcode Fuzzy Hash: c0d350775ce3fdb867c283ffaccfec457a6dccd3cd2a90056cec05949bbf6b15
Instruction Fuzzy Hash: 63D0C970842208DBCB19EBA99544699776DDB1122AF6040EC980426290DB769A90EBD1

Function 04F91210 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3366023228.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f90000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2a06fc52192f2617bdf52accf12857201490fdd2b906be86e13752300ad809
Instruction ID: 578ee5007b55445775343fa52efe4fa20c7122072751cede608384aa6fd620a0
Opcode Fuzzy Hash: fe2a06fc52192f2617bdf52accf12857201490fdd2b906be86e13752300ad809
Instruction Fuzzy Hash: 27C08C3098220D4AF81D3698A644B75318E8B91325FA0466122191A6E29AA5A9A1E2AA

Non-executed Functions

Function 01189CB0 Relevance: 1.6, Strings: 1, Instructions: 397COMMON

Download Yara Rule

Strings

pnq, xrefs: 01189F5A

Memory Dump Source

Source File: 00000000.00000002.3340939125.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1180000_bpaymentcopy.jbxd

Similarity

API ID:
String ID: pnq
API String ID: 0-1150273632
Opcode ID: 2db43e04d9bf1b4efe601012569712e13cee4b7f21ad865ab23702b579fb3c03
Instruction ID: 34bd94f0d6a07a5e8d42216af3bf9fd8be6df03b63c303b778b04a8faf15aa33
Opcode Fuzzy Hash: 2db43e04d9bf1b4efe601012569712e13cee4b7f21ad865ab23702b579fb3c03
Instruction Fuzzy Hash: 99020375A00218DFDB19DFA9D980E9DBBB2FF49304F1580A9E509AB232DB31D991DF10

Analysis Process: bpaymentcopy.exePID: 6468, Parent PID: 6616COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	180
Total number of Limit Nodes:	8

Executed Functions

Function 05347254 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,00000000,?,?,00000001,00000000), ref: 0534736B

Strings

4Ljq, xrefs: 0534731B

Memory Dump Source

Source File: 00000002.00000002.2067886685.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5340000_bpaymentcopy.jbxd

Similarity

API ID: CreateFileMapping
String ID: 4Ljq
API String ID: 524692379-2677868233
Opcode ID: 52be867de9a5942e44419dce5f3578a646f904711c4a8dadd5725fd2bcab4d43
Instruction ID: 24df5af304669c2cf7630dc7c1d78376a81eaf11433fc56ab44d8a8dd3aef739
Opcode Fuzzy Hash: 52be867de9a5942e44419dce5f3578a646f904711c4a8dadd5725fd2bcab4d43
Instruction Fuzzy Hash: 9D51E5B1D143489FDB14CFAAC888B9EBBF5FF48314F24812AE419AB251D7B4A445CF91

Function 05347260 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,00000000,?,?,00000001,00000000), ref: 0534736B

Strings

4Ljq, xrefs: 0534731B

Memory Dump Source

Source File: 00000002.00000002.2067886685.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5340000_bpaymentcopy.jbxd

Similarity

API ID: CreateFileMapping
String ID: 4Ljq
API String ID: 524692379-2677868233
Opcode ID: cfa89be423c2322c6508a8ab0de0c88357e9a6cfb4138de70c66acd005d445b0
Instruction ID: ee7f55ac2ec0a66861b663531b06cc033d8adafc6b6933191e079b346c572811
Opcode Fuzzy Hash: cfa89be423c2322c6508a8ab0de0c88357e9a6cfb4138de70c66acd005d445b0
Instruction Fuzzy Hash: F751F5B1D143489FDB14CFAAC888B9EBBF5FF48314F24812AE419AB251D7B4A445CF90

Function 02BAD3E8 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BAD64E

Memory Dump Source

Source File: 00000002.00000002.2021490922.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ba0000_bpaymentcopy.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7c27c69387db40579eae918906e4b163fc3be1c6e7f8562f6ebb73a79a4d72f8
Instruction ID: cf8dd72776e2ea2c4a39c450c38d8460cf12459662ad4cf3c1e6465f32c64b26
Opcode Fuzzy Hash: 7c27c69387db40579eae918906e4b163fc3be1c6e7f8562f6ebb73a79a4d72f8
Instruction Fuzzy Hash: 2B817870A04B058FD728DF29D064B9ABBF1FF88304F04896ED48AD7A40DB74E845CB90

Function 02BAC45C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02BAFB02

Memory Dump Source

Source File: 00000002.00000002.2021490922.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ba0000_bpaymentcopy.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c2af66f14af2d8d5df00857bfb2b2cef10523a363edb6c4216328590a0ed42df
Instruction ID: 20c2cbff114ce7945dff44dad086df14e6117a0a4d76a6188f73a7b4e2464256
Opcode Fuzzy Hash: c2af66f14af2d8d5df00857bfb2b2cef10523a363edb6c4216328590a0ed42df
Instruction Fuzzy Hash: 3251DFB1D00309AFDB14CF9AC994ADEBBB5FF48304F64816AE819AB210D7759885CF90

Function 05346CFA Relevance: 1.6, APIs: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 05348001

Memory Dump Source

Source File: 00000002.00000002.2067886685.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5340000_bpaymentcopy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5df84f45f2af473613dcefd738e9a8489b091f4f690b6e62c14ecdf32907919d
Instruction ID: cbe632b39373619e2ce5b85cc2a3b9d9d75020a371cebd8368e9f68035041edb
Opcode Fuzzy Hash: 5df84f45f2af473613dcefd738e9a8489b091f4f690b6e62c14ecdf32907919d
Instruction Fuzzy Hash: 1E41F0B1C04319CECB25DFA9C854A9DBBF5BF49304F24806AD408AB255D7B5694ACF90

Function 05346D64 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 05348001

Memory Dump Source

Source File: 00000002.00000002.2067886685.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5340000_bpaymentcopy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b807509a970f33a99619121b4c8865692e49c95ed6dc7a5577bba3626fda71fb
Instruction ID: 577ff00bab85d15a6dae314880ae24d6bf4550ecd505f1503393b944d8589371
Opcode Fuzzy Hash: b807509a970f33a99619121b4c8865692e49c95ed6dc7a5577bba3626fda71fb
Instruction Fuzzy Hash: 0F41E2B0C10619CBDB24DFA9C844B9DFBF5BF49304F20846AD408AB255DBB5694ACF90

Function 05347F44 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 05348001

Memory Dump Source

Source File: 00000002.00000002.2067886685.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5340000_bpaymentcopy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7ff680d3451848c27033be8864ec5bcd9b95a41f3fe9176710622c2d15e135b9
Instruction ID: dca356feb75b3db9ff03ab8c261512c2cebdb8ec38cb73fbe5a455f798616374
Opcode Fuzzy Hash: 7ff680d3451848c27033be8864ec5bcd9b95a41f3fe9176710622c2d15e135b9
Instruction Fuzzy Hash: 1B4101B1C10619CFDB24DFA9C944B9DFBF5BF48304F20806AD418AB255DBB5694ACF50

Function 05342300 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 053423C1

Memory Dump Source

Source File: 00000002.00000002.2067886685.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5340000_bpaymentcopy.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: f09b038290f94f84f4acaa9d34be4e4cd7b9e8b722ccde35d86cc725d4ba3b60
Instruction ID: 1ed2620411e4f0df5e7cdca5477ef0effaac875d684c2d1a7def41a51d983bba
Opcode Fuzzy Hash: f09b038290f94f84f4acaa9d34be4e4cd7b9e8b722ccde35d86cc725d4ba3b60
Instruction Fuzzy Hash: 574108B99002059FCB14CF99C448AABBBF5FF89314F24C499E519AB321D775A841CFA0

Function 02BA76A0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BA772F

Memory Dump Source

Source File: 00000002.00000002.2021490922.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ba0000_bpaymentcopy.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5012de499c48df428c2c7950475b1bb9b4224797887c6232aa72bd8fc3935a69
Instruction ID: 4d0b8333aea23301a82b073679356398b420b98df28019cdcf8334806fe04ff4
Opcode Fuzzy Hash: 5012de499c48df428c2c7950475b1bb9b4224797887c6232aa72bd8fc3935a69
Instruction Fuzzy Hash: 3121E5B5D00208AFDB10CFAAD584ADEFBF5FB48310F14845AE918A3250D378A944CFA5

Function 02BA76A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BA772F

Memory Dump Source

Source File: 00000002.00000002.2021490922.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ba0000_bpaymentcopy.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e614937d24114ea933ef9c3723053915fd3f0f7e1d8fa6da26f3715fc44f4d20
Instruction ID: 5f61245850bbf46c65ed6919a7b14515426ac8dcd86573cef476539c3524ba04
Opcode Fuzzy Hash: e614937d24114ea933ef9c3723053915fd3f0f7e1d8fa6da26f3715fc44f4d20
Instruction Fuzzy Hash: 9721C2B59002489FDB10CFAAD984ADEFBF9FB48310F14845AE918A3350D378A954CFA5

Function 05347508 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,00000001,00000004), ref: 05347594

Memory Dump Source

Source File: 00000002.00000002.2067886685.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5340000_bpaymentcopy.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: da822ed69160a297249eaf941c5d0270e39ed9754930dbd0cc3898b6d0a0adcd
Instruction ID: 2ee1b86c8632a62ff6afcdcb29d222837bb0701c2e31368e26510aa4ba8a4e9c
Opcode Fuzzy Hash: da822ed69160a297249eaf941c5d0270e39ed9754930dbd0cc3898b6d0a0adcd
Instruction Fuzzy Hash: 332103B58102489FCB10CF9AD588A8ABFF5FF48314F14C459E908AB261D775A844CF60

Function 05347510 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,00000001,00000004), ref: 05347594

Memory Dump Source

Source File: 00000002.00000002.2067886685.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5340000_bpaymentcopy.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 9e6e9e786d15e3f23e9adcbe572fa8941e73ba1f4e1ce7d492548198702d1a48
Instruction ID: 09b3f223698f0851ab46e73685f430b8f0a165190d5ca7988e57e1405af35a33
Opcode Fuzzy Hash: 9e6e9e786d15e3f23e9adcbe572fa8941e73ba1f4e1ce7d492548198702d1a48
Instruction Fuzzy Hash: 5B21E2B58002489FCB10CF9AD588B8EFFF5EF48314F14C05AE918AB261D779A844CF60

Function 02BAF60C Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?,?,?,?,?,?,02BAFC20,?,?,?,?), ref: 02BAFC95

Memory Dump Source

Source File: 00000002.00000002.2021490922.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ba0000_bpaymentcopy.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: d5efc1f682f79cee2b1cb5b9698cef61ae2b2ceb8402cdbdf54f04eb26bdfb86
Instruction ID: d27e8c49b8945c55175850d2b9a492be59ca0ed26049686ac102c40f6f8739da
Opcode Fuzzy Hash: d5efc1f682f79cee2b1cb5b9698cef61ae2b2ceb8402cdbdf54f04eb26bdfb86
Instruction Fuzzy Hash: 191106B58042489FDB10DF9AC588BEEFBF8EB48314F10845AD918A7740D379A944CFA5

Function 02BAD5E8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02BAD64E

Memory Dump Source

Source File: 00000002.00000002.2021490922.0000000002BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2ba0000_bpaymentcopy.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bcc856a9dd5559ffaddb733387ea8abe87816568f9b2edec50b69ebe817beeab
Instruction ID: 323d43663aecf6b334ba3257f4ea70b9d03481c3782dc5b500dc2bf43c13b80b
Opcode Fuzzy Hash: bcc856a9dd5559ffaddb733387ea8abe87816568f9b2edec50b69ebe817beeab
Instruction Fuzzy Hash: F01122B6C003498FCB10CF9AC444ADEFBF4EF88314F10845AD828A7600C379A545CFA1

Function 0110D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2021133238.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110d000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33bc7c6a76defe12a4b9eaf71b427e7a4aa4170a48d0f666ec829cf4c423a655
Instruction ID: fc5f2d9652bacf4cb00901e94d2245de7454a71a4058deb2659cfd62061e1f72
Opcode Fuzzy Hash: 33bc7c6a76defe12a4b9eaf71b427e7a4aa4170a48d0f666ec829cf4c423a655
Instruction Fuzzy Hash: 7C21F771900204DFDF0ADF98E5C0B16BF75FB88318F208569ED090B296C376D456C6A2

Function 0110D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2021133238.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110d000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 271899ae4c3156c86e9dc664d49f5f3cb50ad27675e44551cd0b9651000639d9
Instruction ID: 87a5db7d3c25d092ad4280ecc7424b06c45c794c4b71d1080357f3d4d2ace3fa
Opcode Fuzzy Hash: 271899ae4c3156c86e9dc664d49f5f3cb50ad27675e44551cd0b9651000639d9
Instruction Fuzzy Hash: D2210671900204DFDF0ADF98E9C0B66BF65FB94320F21C569E9094B696C37AE416C7A2

Function 0111D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2021164075.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_111d000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b5d7300c0d55372cbd41397efd04779c7d610661df972e4e0cdc33fc6cd7dc
Instruction ID: 620d7b9b2e11a22d8f338fee6e4641ed9255ac52b76976fcc1d9a2685f69e194
Opcode Fuzzy Hash: e6b5d7300c0d55372cbd41397efd04779c7d610661df972e4e0cdc33fc6cd7dc
Instruction Fuzzy Hash: A5210075604200DFCF19DF68E988B26FF65EB88314F20C5BDD90A0B25AC33AD406CA62

Function 0110D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2021133238.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110d000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 4b8e782e4ff2ae3b79a008bac9264378e7ae5f22d0d26cc82f7ac824ccbc41de
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 6611AF76904240CFDF16CF94E5C4B16BF71FB88324F2486A9DD090B256C33AD45ACBA2

Function 0110D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2021133238.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110d000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 2570ac9012467b149c4cff900ed1024b47ac2ca1eecd400eb590e0bbad9a2972
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 7411DF72804244DFCF06CF84D9C4B56BF62FB84320F24C5A9D9094B656C33AE45ACBA2

Function 0111D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2021164075.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_111d000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: ffb686f9e80ca277671ef4a9440f304b356177e4873fa2bc8d4f4ba60932b932
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 4111D075504280CFDB16CF58E5C8B15FF61FB44314F24C6A9D8494B65AC33BD44ACB62

Function 0110D667 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2021133238.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110d000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c18a09e33ccc898d11b479e489bca29a4c0b3bfc61ef5796e8f7eee1e970ce
Instruction ID: 66425cbc96ec56056ea896ec31118c7de853e7c928b356276329087090072461
Opcode Fuzzy Hash: d0c18a09e33ccc898d11b479e489bca29a4c0b3bfc61ef5796e8f7eee1e970ce
Instruction Fuzzy Hash: A2F049B6600604AF9724CF0ADC84C27FBADEFC4730319C05AE84A4B652C771EC41CEA0

Function 0110D658 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2021133238.000000000110D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0110D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_110d000_bpaymentcopy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae3c67af10e4430ad70d50fbadcdc612992d531d6da0f03850356933c05207d3
Instruction ID: 825c678c7fd33a523752b527869d44eeaaa52f67f15c07b9bd65a558ee354ad5
Opcode Fuzzy Hash: ae3c67af10e4430ad70d50fbadcdc612992d531d6da0f03850356933c05207d3
Instruction Fuzzy Hash: 1CF03C75104684AFD7168F46CD84C62BFB9EF856607198489E8894B252C671FC42CF61

Analysis Process: Windows Update.exePID: 5272, Parent PID: 6468COMMON

Execution Graph

Execution Coverage:	15.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	68
Total number of Limit Nodes:	0

Executed Functions

Function 013B4A6A Relevance: 16.8, APIs: 1, Strings: 7, Instructions: 2849
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 013B5139
-, xrefs: 013B511B
., xrefs: 013B521F
oq^, xrefs: 013B4A6A
U, xrefs: 013B5143
(, xrefs: 013B5125
F, xrefs: 013B510D

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID:
String ID: ($($-$.$F$U$oq^
API String ID: 0-395701549
Opcode ID: b98bc39866f5ac0553d4f484e913109565fd199c32512c90b4c94bae4a9c5d7f
Instruction ID: 9a355e270bf1fde993c51bcfd69d08f8c25a7a3c091fc022adb06b9bcc01f98f
Opcode Fuzzy Hash: b98bc39866f5ac0553d4f484e913109565fd199c32512c90b4c94bae4a9c5d7f
Instruction Fuzzy Hash: AC532F74A402198FCB54DF69DD94A9DB7BABF88304F10C5D8D80EAB369DA305E84CF58

Function 013B4AE8 Relevance: 15.3, APIs: 1, Strings: 6, Instructions: 3086
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 013B4E7D

Strings

(, xrefs: 013B5139
-, xrefs: 013B511B
., xrefs: 013B521F
U, xrefs: 013B5143
(, xrefs: 013B5125
F, xrefs: 013B510D

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: InitializeThunk
String ID: ($($-$.$F$U
API String ID: 2994545307-2826122012
Opcode ID: f967ec60656adc3d2410559d1aece686a892d4437092d4df3e5253ba3c2227df
Instruction ID: 06deb70e4280145629c28acd15891019b60c9ffed22de84c69ab3c64a3f06925
Opcode Fuzzy Hash: f967ec60656adc3d2410559d1aece686a892d4437092d4df3e5253ba3c2227df
Instruction Fuzzy Hash: 47532D74A402198FCB54DF69DD94A9DB7BABF88300F10C5D8D80EAB369DA345E84CF49

Function 013B4AD8 Relevance: 15.0, APIs: 1, Strings: 6, Instructions: 2779
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 013B4E7D

Strings

(, xrefs: 013B5139
-, xrefs: 013B511B
., xrefs: 013B521F
U, xrefs: 013B5143
(, xrefs: 013B5125
F, xrefs: 013B510D

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: InitializeThunk
String ID: ($($-$.$F$U
API String ID: 2994545307-2826122012
Opcode ID: d07db0fbcbb843398c8afa8aab99a7aa5edc7c8b90c4a4033bc577c160d6e386
Instruction ID: fd8aeb8da30ff64b7628c13c9cb35b1bd54a79aa0d43ae2ad388e9735025b123
Opcode Fuzzy Hash: d07db0fbcbb843398c8afa8aab99a7aa5edc7c8b90c4a4033bc577c160d6e386
Instruction Fuzzy Hash: E9431F74A402198FCB54DF69DD94A9DB7BABF88304F10C5D8D80EAB369DA305E84CF48

Function 013B0797 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 449
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 013B0C88

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4671436944ee1b493bf053e925f966633ef9238e40e2cb389c85306c9bf24eb7
Instruction ID: 304186a42205fe147c8930144d15536e42534327185f71b4880728e806cb83b4
Opcode Fuzzy Hash: 4671436944ee1b493bf053e925f966633ef9238e40e2cb389c85306c9bf24eb7
Instruction Fuzzy Hash: C1021771E002098FDB18CF98C4D06EEBBB2FF49214F64855AE915EB649E334ED85CB91

Function 013BEC7D Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 013BEEBE

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 921a2d1634a77ea773a36db96732e9325865e8aa07a06b2ef1cb21f27c5f23c2
Instruction ID: f5067c4f6a3b063fcfa3d7088426b98b224650f325d65576ce592cd8179b6e5a
Opcode Fuzzy Hash: 921a2d1634a77ea773a36db96732e9325865e8aa07a06b2ef1cb21f27c5f23c2
Instruction Fuzzy Hash: E8A17C71D00219CFEB20DF6CC8817EDBBB2BF48314F0485A9E919A7690EB749985CF91

Function 013BEC88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 013BEEBE

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 349958475b5111f4c284223fbd03b0cbd6486e06159ec659a0d8d5b2f4dcb3e0
Instruction ID: 22f959881c24834006f2381aced85c752dd341db79de182e34985d704b6880e9
Opcode Fuzzy Hash: 349958475b5111f4c284223fbd03b0cbd6486e06159ec659a0d8d5b2f4dcb3e0
Instruction Fuzzy Hash: 18917B71D00219CFEB20DF6CC8817EDBBB2BF48314F0485A9E919A7690EB749985CF91

Function 013BE9F8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 013BEA90

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 34c5b6d2575ee1d5221ec99a316534028cef85e6ca389782d02f5e47d3e29f8f
Instruction ID: 6b20082ce2b2247fb661bb0a06f1b440ec7b9b5846733daa8a112351cd162e8b
Opcode Fuzzy Hash: 34c5b6d2575ee1d5221ec99a316534028cef85e6ca389782d02f5e47d3e29f8f
Instruction Fuzzy Hash: D92157B59003599FDB10DFAEC885BEEBBF5FF48310F108429EA59A7240D7789944CBA0

Function 013BEA00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 013BEA90

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a3d8219642dbe7e2a174e735e608c70484d55618d0360421de4fd733d2e87a6f
Instruction ID: 0470db66e9c02ad017358fb490d3c600ce3dc1746e385e33156c818558375f64
Opcode Fuzzy Hash: a3d8219642dbe7e2a174e735e608c70484d55618d0360421de4fd733d2e87a6f
Instruction Fuzzy Hash: 412127B59003499FDB10DFAEC885BEEBBF5FF48310F108429E919A7240D7789944CBA0

Function 013BE860 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 013BE8E6

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: fa43b3e3998c740097f91a80f1f3886b29ed47cbff5bf459cb8b8c901da58b82
Instruction ID: 1e160e9e36c0cbbb6788725f62a202333fff49fa00bff78c3fefe5cddc24d669
Opcode Fuzzy Hash: fa43b3e3998c740097f91a80f1f3886b29ed47cbff5bf459cb8b8c901da58b82
Instruction Fuzzy Hash: 76212571D002098FDB10EFAEC885BEEBFF4EF48314F148429D559A7241DB789945CBA0

Function 013BEAEA Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 013BEB70

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 697370af46460c4d40a02e0a594f2ce12a6c9c15d377e151c0427a8d6b6563bc
Instruction ID: af89fe11cd8f2c71df388e4153f93925bdc80c79531817a745f9f82624d45207
Opcode Fuzzy Hash: 697370af46460c4d40a02e0a594f2ce12a6c9c15d377e151c0427a8d6b6563bc
Instruction Fuzzy Hash: 3D2125B1C003599FCB10DFAAC885AEEFBF5FF48320F50842AE559A7250D7389945CBA0

Function 013BE868 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 013BE8E6

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b064c4bfe0ac812d25b4349713a5668d3acd6f14d620fb56c9a5ec2c4c3b83e9
Instruction ID: ced8753e1c445b343483e3bc579c330685babcdaafe96685eeaaf1bdbb0adb8b
Opcode Fuzzy Hash: b064c4bfe0ac812d25b4349713a5668d3acd6f14d620fb56c9a5ec2c4c3b83e9
Instruction Fuzzy Hash: 012123B1D002098FDB10DFAEC485BEEBFF4EF48324F14842AD519A7240DB78A945CBA0

Function 013BEAF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 013BEB70

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 46bd1dd12fe843ce1f961265824cb522a29b8a23284cf3d2d121f6c666bc35fc
Instruction ID: 6833a8f00f0e0221c92790995e524ebe79fcb56c650b628c2cee6cc0c59cc01c
Opcode Fuzzy Hash: 46bd1dd12fe843ce1f961265824cb522a29b8a23284cf3d2d121f6c666bc35fc
Instruction Fuzzy Hash: 6C2107B1C003499FDB10DFAAC985AEEFBF5FF48320F50842AE559A7250D7789944DBA0

Function 013BD528 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(00000000,?), ref: 013BD5A8

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: e6bdd8c7c53fc0bd0e3527b98288d9b2e665dd9ee0a0dc5af02a20fb3454951f
Instruction ID: 7cfc062592aa8ad5a8db22883c6ae9687cbb74ea06c57524b49099a8c90a869f
Opcode Fuzzy Hash: e6bdd8c7c53fc0bd0e3527b98288d9b2e665dd9ee0a0dc5af02a20fb3454951f
Instruction Fuzzy Hash: 742135B1D002098FDB10DFAAC9457EEFBF5AF88314F10842AD515A7290CB399945CFA0

Function 013BD241 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 013BD2B6

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: b1151c2473f3335ab5c7aa31a2f2906347acdd13b90793f89f06e2fd45bb8bdb
Instruction ID: 3b84d0f24284194ac7bf3b1224c06bba8c0636b825a075c393293db193c1e3d4
Opcode Fuzzy Hash: b1151c2473f3335ab5c7aa31a2f2906347acdd13b90793f89f06e2fd45bb8bdb
Instruction Fuzzy Hash: 091136B1D002488EDB20DFAAC4856EEFBF4FF48324F10842AD459A7210CB799945CFA0

Function 013BD530 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000,?), ref: 013BD5A8

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 068cd75faab473895e58c032f1592fb85336ca1bcadd886dc06eeca27788b516
Instruction ID: f76abec31f6133b8311035a7bd7bee109c25d300a723bb5e78da00e45bef0777
Opcode Fuzzy Hash: 068cd75faab473895e58c032f1592fb85336ca1bcadd886dc06eeca27788b516
Instruction Fuzzy Hash: C7212771D002098FDB14DFAAC9457EEFBF5EF88314F10842AD515A7250CB79A945CFA0

Function 013B0D09 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 013B0D83

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 01258670ae11684e68c6608f4edab0ab4c7cfc5050a94e2f7e84ad1dd448bbc0
Instruction ID: 831292d4b6734f92830b0bdb068358cd2e983e6eda90e5af8a92e44ed95a81e2
Opcode Fuzzy Hash: 01258670ae11684e68c6608f4edab0ab4c7cfc5050a94e2f7e84ad1dd448bbc0
Instruction Fuzzy Hash: FA21E0B59003499FCB10DFAAC984BDEFBF4FB48320F508029E958A7650D378A544CFA1

Function 013BE938 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 013BE9AE

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 42a602aef97195c6b05c4e75c330f4f15c79f59dc230ea27527e8ad2268178bc
Instruction ID: 5c302f3c151314ee0fdc16ac4427c002c300ab2013b74fb389269be13a3fc944
Opcode Fuzzy Hash: 42a602aef97195c6b05c4e75c330f4f15c79f59dc230ea27527e8ad2268178bc
Instruction Fuzzy Hash: 831159719002499FCB10DFAAC845AEFBFF5EF48324F108419E659A7250C779A544CBA0

Function 013B0D10 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 013B0D83

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0687aadd9a8826bd733c7d0fd7eddf5422809532135f2b036a1a9879aa5991b9
Instruction ID: bce99efb03b06fb26e19c71b6fa4719f30dce2bfce0d24caa4be5473abda8216
Opcode Fuzzy Hash: 0687aadd9a8826bd733c7d0fd7eddf5422809532135f2b036a1a9879aa5991b9
Instruction Fuzzy Hash: 6A21D3B59002499FCB10DF9AC985BDEFBF4FB48320F108429E958A7250D778A544CFA1

Function 013BD248 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 013BD2B6

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 8eadcb87dcf3b99fba618d602b6792d1835fb61461efd44e4fdd24e854c80546
Instruction ID: d528d9a58d58eaee5dae70992aaef78ccd0af5d4be3134b4105743263a5ab653
Opcode Fuzzy Hash: 8eadcb87dcf3b99fba618d602b6792d1835fb61461efd44e4fdd24e854c80546
Instruction Fuzzy Hash: F51114B1D002498FDB10DFAAC485AEEFBF4EF48324F50842AD519A7240CB78A944CFA0

Function 013BE940 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 013BE9AE

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c0012e54604b375608bb83b38878424d3be832f63d2e71ad5d3719ec856f2741
Instruction ID: 8ecb16a6cfb70f89b5c9ca1381b5d9d87326c78103502e3f9c6eb4d3fb789cd4
Opcode Fuzzy Hash: c0012e54604b375608bb83b38878424d3be832f63d2e71ad5d3719ec856f2741
Instruction Fuzzy Hash: 4E1137759002499FDB10DFAAC845AEFBFF5EF48324F108419E519A7250CB79A544CFA0

Function 013BE7B1 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 013BE81A

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e4e6141aa0df61e0a3b14dd5b3d0d429fffdd350f7e68857ee1f67ade925c9a9
Instruction ID: 3ab011c2739ab1cfa4030bdfe348d6b5871191f5d8b2c76e37a9e5e7aef21527
Opcode Fuzzy Hash: e4e6141aa0df61e0a3b14dd5b3d0d429fffdd350f7e68857ee1f67ade925c9a9
Instruction Fuzzy Hash: EB1149B1D002488BCB10DFAEC8457EEFFF4EF48724F248419D519A7240C738A544CB94

Function 013BE7B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 013BE81A

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2541423660b191d5f4c89ae70519071dfc46a2be2ee88f0a257138fb1f7a518f
Instruction ID: 88ef9df1f69066691dadb191dbcfb40acd59b47a849a253878fc2ff7f5d4e927
Opcode Fuzzy Hash: 2541423660b191d5f4c89ae70519071dfc46a2be2ee88f0a257138fb1f7a518f
Instruction Fuzzy Hash: F11128B5D002488BDB24DFAEC4457EEFFF5EF88724F148429D519A7240CB79A544CBA4

Function 013BD300 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 013BD367

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1f669061853f9671304bbd9f06bc7a16b646eaf02f9e21660e14890b7751be05
Instruction ID: 177b0e87152f99ecfe35f364780a546c5f00e79c2f9e50dd36d9eb16d7d9312d
Opcode Fuzzy Hash: 1f669061853f9671304bbd9f06bc7a16b646eaf02f9e21660e14890b7751be05
Instruction Fuzzy Hash: C31103B5800248CFCB10DF9AD485BEEBBF4EF48314F20845AD518A7650C379A944CFA5

Function 013BA884 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 013BD367

Memory Dump Source

Source File: 00000005.00000002.3339018320.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_13b0000_Windows Update.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e3c350fbced808eeaccb6491d9395c95981fc17823cd759d4d506a8e86c93568
Instruction ID: 2c0d2dd6f8a2ad4916978f06c834d975530ddb8d2762fec966188938f1f45bcb
Opcode Fuzzy Hash: e3c350fbced808eeaccb6491d9395c95981fc17823cd759d4d506a8e86c93568
Instruction Fuzzy Hash: FF1115B5800349CFCB20EF9AD585BDEFBF8EB48314F20845AD619A7641D378A944CFA5

Function 0134D01C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3338229469.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_134d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e4336df2d6b87888b581ffabaebd9f6042e56d986a89da8d910c007236c668
Instruction ID: b13d61c69d6cf78f68d56dbf91979856282cee645d5886b01ee71c857dcffeef
Opcode Fuzzy Hash: 70e4336df2d6b87888b581ffabaebd9f6042e56d986a89da8d910c007236c668
Instruction Fuzzy Hash: 932104706042449FDB15DF68C5C4B26BBE9FBA4358F20C56DE90A4B352C33AE807C662

Function 0134D006 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3338229469.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_134d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3651e3712e73432ae0097ed437d1121b0f28402f8db422d76e9e6eee12d04935
Instruction ID: 8332dcb249b7c49c2353531a3bf0dc4b6a986fe5ca5b2b7419a64807a1affcb7
Opcode Fuzzy Hash: 3651e3712e73432ae0097ed437d1121b0f28402f8db422d76e9e6eee12d04935
Instruction Fuzzy Hash: 2321C3715083C08FC707CF24C994715BFB1FB56218F28C5EAD8498B6A3C33A980ACB62

Analysis Process: Windows Update.exePID: 728, Parent PID: 5272COMMON

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	236
Total number of Limit Nodes:	33

Executed Functions

Function 08EE1F68 Relevance: 1.9, APIs: 1, Instructions: 396
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.2715302620.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ee0000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d33c1221aaf07bc49601e7ba3171433eeee0cbd0c1fd5a63f938a7274dc7fa
Instruction ID: 165bc24b46351418a27a859436c00fe3008727784026eb3e31c7299c49b7f019
Opcode Fuzzy Hash: 42d33c1221aaf07bc49601e7ba3171433eeee0cbd0c1fd5a63f938a7274dc7fa
Instruction Fuzzy Hash: 20F16B31A00309CFDB14DFA9C988BADBBF5FF88305F148169F509AB2A5DB74A945CB50

Function 02757451 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 027574DE
GetCurrentThread.KERNEL32 ref: 0275751B
GetCurrentProcess.KERNEL32 ref: 02757558
GetCurrentThreadId.KERNEL32 ref: 027575B1

Memory Dump Source

Source File: 00000006.00000002.2708790406.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2750000_Windows Update.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7d512fbcf71672b5cf96031781b7bf356c4e38b8cf9254282b6c0ca957453990
Instruction ID: a03d1408909e2103967e7f7ed1bc9b996b3bea3a8b3b613efd576be61260bb49
Opcode Fuzzy Hash: 7d512fbcf71672b5cf96031781b7bf356c4e38b8cf9254282b6c0ca957453990
Instruction Fuzzy Hash: E65144B0A003498FDB14DFA9D648BAEFBF1FF48314F208499E809A7261D7799945CB61

Function 02757460 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 027574DE
GetCurrentThread.KERNEL32 ref: 0275751B
GetCurrentProcess.KERNEL32 ref: 02757558
GetCurrentThreadId.KERNEL32 ref: 027575B1

Memory Dump Source

Source File: 00000006.00000002.2708790406.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2750000_Windows Update.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: bbee2a230218edfff19b9ef6474d6e74a85f1bd1f5137deedc2f9d68780b87dc
Instruction ID: d32dd707c22f829ba09108a1b33609b5d4cb4a7072320afdb533c29167cc4aec
Opcode Fuzzy Hash: bbee2a230218edfff19b9ef6474d6e74a85f1bd1f5137deedc2f9d68780b87dc
Instruction Fuzzy Hash: 905157B09003498FDB18DFA9D548BAEFBF5FF48314F208459E409A7360D7799944CB65

Function 08EE0C88 Relevance: 1.7, APIs: 1, Instructions: 218
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 08EE0D81

Memory Dump Source

Source File: 00000006.00000002.2715302620.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ee0000_Windows Update.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: bc9ae91764bd35c1674afd058f2dcc266637f2a679fdcfa4e17b274e965fc962
Instruction ID: 510ac6cd0c1698012c0518182f6c4438c8f73fce4455e37993c1adb2efb89b31
Opcode Fuzzy Hash: bc9ae91764bd35c1674afd058f2dcc266637f2a679fdcfa4e17b274e965fc962
Instruction Fuzzy Hash: 35815A71D003588FCB15DFA9C4546DEBFF5FF49310F14842AE415AB261DB74A845CB60

Function 09032758 Relevance: 1.7, APIs: 1, Instructions: 206
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,00000000,00000000), ref: 09032946

Memory Dump Source

Source File: 00000006.00000002.2715578800.0000000009030000.00000040.00000800.00020000.00000000.sdmp, Offset: 09030000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9030000_Windows Update.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 5a968260ed2532ca8db1630c929fa4ffd90273454c81c04af8e0d2a095d25df6
Instruction ID: 41a1e31349cf4aecfc2adbf246e9208e3c3695c9e1baa6adaca71aaf4a5b2dfe
Opcode Fuzzy Hash: 5a968260ed2532ca8db1630c929fa4ffd90273454c81c04af8e0d2a095d25df6
Instruction Fuzzy Hash: C5815771D006199FDB10CFADC8857AEBBF5FF48310F548629E868E7290D7748881CB91

Function 0275D3E8 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0275D64E

Memory Dump Source

Source File: 00000006.00000002.2708790406.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2750000_Windows Update.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 524736ac895781ab42a8044cb008d810c642029e345a614e6b50ae23bbc00d3e
Instruction ID: 8c1b4ad8417579a888a188d7b027a9b61e705108890ed152437a0ed7f6f6bcaa
Opcode Fuzzy Hash: 524736ac895781ab42a8044cb008d810c642029e345a614e6b50ae23bbc00d3e
Instruction Fuzzy Hash: 07814670A00B158FDB24DF69D44476ABBF2FF88704F00892ED88AD7A50D7B5E946CB91

Function 08EE0C7C Relevance: 1.6, APIs: 1, Instructions: 134threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 08EE0D81

Memory Dump Source

Source File: 00000006.00000002.2715302620.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ee0000_Windows Update.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 4473edb6b43605855cfd8a39c5b815b7fda25bed399495665e88898a6cdb3ba0
Instruction ID: 607ddad6765c8c653f35483e708488c91f11efc66d20f5cef7005de249ddf0db
Opcode Fuzzy Hash: 4473edb6b43605855cfd8a39c5b815b7fda25bed399495665e88898a6cdb3ba0
Instruction Fuzzy Hash: 4F517A72E00359CFCF15DFA9C854AEDBBB6BF44305F14842EE815AB261DBB4A845CB60

Function 0275F9F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0275FB02

Memory Dump Source

Source File: 00000006.00000002.2708790406.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2750000_Windows Update.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c9b61641a531cb14fdbcdafdcad64948f0821b6ce7878dc8333a3e3d6f27bd43
Instruction ID: 93aa1447f3235e32d7474377e3e780c4dc833956184a9968d5b52e4b2f33b4e9
Opcode Fuzzy Hash: c9b61641a531cb14fdbcdafdcad64948f0821b6ce7878dc8333a3e3d6f27bd43
Instruction Fuzzy Hash: A841C0B1D00359DFDB14CFA9C984ADEFBB5BF49314F24812AE819AB210D7749845CF91

Function 027576A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0275772F

Memory Dump Source

Source File: 00000006.00000002.2708790406.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2750000_Windows Update.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4d4a0a31df0a121b419f1adc1af45a8eeb9987279175d599685dce119a56747e
Instruction ID: cbdf018a8ff9d9b6b807bb6ae37aa4e0f7f9baf7374a4393cbfa5b818eea3bc1
Opcode Fuzzy Hash: 4d4a0a31df0a121b419f1adc1af45a8eeb9987279175d599685dce119a56747e
Instruction Fuzzy Hash: 962103B5900249DFDB10CFAAD584ADEFBF5FB08310F24845AE958A3250D378A940CFA1

Function 027576A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0275772F

Memory Dump Source

Source File: 00000006.00000002.2708790406.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2750000_Windows Update.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2e4e03b887f095342ffedbf59815e53ee0f204e26b10f4faf5e6d9b9bf907a08
Instruction ID: 97b12e9bd4e448138b2e6035e91c5a447acdfd0325a97938bc4eec46b66b31d9
Opcode Fuzzy Hash: 2e4e03b887f095342ffedbf59815e53ee0f204e26b10f4faf5e6d9b9bf907a08
Instruction Fuzzy Hash: 8621C2B5D002599FDB10CFAAD984ADEFBF9FB48310F14841AE918A3350D378A944CFA5

Function 08EE2528 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 08EE2598

Memory Dump Source

Source File: 00000006.00000002.2715302620.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ee0000_Windows Update.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 2894d7bc35566a3ba7a89b8f6838ece44987bc563c1cdbad1e3eb24d5a9be7a8
Instruction ID: fc769dd079f7f678904daa5f5368ed921a52a5183431d0f7e594d8e80a38031b
Opcode Fuzzy Hash: 2894d7bc35566a3ba7a89b8f6838ece44987bc563c1cdbad1e3eb24d5a9be7a8
Instruction Fuzzy Hash: F911E4B68002099FDB10CF99D585BDEBBF8FB08314F10842AE918B3250C378A544DFA1

Function 08EE2530 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 08EE2598

Memory Dump Source

Source File: 00000006.00000002.2715302620.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ee0000_Windows Update.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 7c3c7dbc2ae6f22c2a809fe6e518bd37c03dd8c50ab1724a0f97db38f5beb8a5
Instruction ID: b4b1eb7812674616244cc1e48a2fd9bb7781c576e8e059802d349a1325ef4e08
Opcode Fuzzy Hash: 7c3c7dbc2ae6f22c2a809fe6e518bd37c03dd8c50ab1724a0f97db38f5beb8a5
Instruction Fuzzy Hash: 7311C6B58002499FDB10DF9AD945BDEBBF8FB48314F10842AE558A3251C378A544DFA5

Function 08EE1120 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08EE117D

Memory Dump Source

Source File: 00000006.00000002.2715302620.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ee0000_Windows Update.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 5713f4d1d6c5c5ad75f1792d9c7e80cff8a0d0a2385bdfd53ca14bd9e742aee7
Instruction ID: 1cc7ae1c693d55e909315950bd8a8cf08998f0947e8636e024f24e8a28838ea3
Opcode Fuzzy Hash: 5713f4d1d6c5c5ad75f1792d9c7e80cff8a0d0a2385bdfd53ca14bd9e742aee7
Instruction Fuzzy Hash: 7611F5B58003499FDB10DF9AC845BEEBBF8EB48320F108419E558A3650D378A584CFA5

Function 08EE111E Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 08EE117D

Memory Dump Source

Source File: 00000006.00000002.2715302620.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ee0000_Windows Update.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: bc1dacf340b2c60253cd1d4a98f9bdb348838a347d17d22867ca67eb9ce9e7a8
Instruction ID: 05b05cd937d755d2199ff0fd40d08f2b9cb388744126ea9385119be2fd123df4
Opcode Fuzzy Hash: bc1dacf340b2c60253cd1d4a98f9bdb348838a347d17d22867ca67eb9ce9e7a8
Instruction Fuzzy Hash: 04110AB5800349CFDB10CF99C545BEEBBF4FB08311F148419E558A3650D378A584CFA1

Function 0275D5E8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0275D64E

Memory Dump Source

Source File: 00000006.00000002.2708790406.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2750000_Windows Update.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 57ab601cc4f5e754d9c919def06797bd4352eb0c43806f64295a886c8f6e34a7
Instruction ID: e9d552c41c5c1fa45ab78c5de0212cceb249512b8fa524e67ed83a8a645e7d13
Opcode Fuzzy Hash: 57ab601cc4f5e754d9c919def06797bd4352eb0c43806f64295a886c8f6e34a7
Instruction Fuzzy Hash: BB11E0B5D007598FCB20DF9AD444ADEFBF4EF88314F10846AD829A7610C3B9A546CFA5

Function 08EE3029 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 08EE308D

Memory Dump Source

Source File: 00000006.00000002.2715302620.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ee0000_Windows Update.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: c155e71c4fc438aff6b95f14c2b019eed436798f1e78f8196ff2f3a6990fc64a
Instruction ID: fba26e4e96bd9f17373af3c0f4a11d8b9c5eac8667c722588aabde3b682fd06a
Opcode Fuzzy Hash: c155e71c4fc438aff6b95f14c2b019eed436798f1e78f8196ff2f3a6990fc64a
Instruction Fuzzy Hash: A111EDB5C006498FCB10DF9AE588BDEBBF4EB48324F10855AE859A7610C378A545CFA5

Function 0275FC38 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 0275FC95

Memory Dump Source

Source File: 00000006.00000002.2708790406.0000000002750000.00000040.00000800.00020000.00000000.sdmp, Offset: 02750000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2750000_Windows Update.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: e422c35c28d08a3e0edaedc03c6f421a637f677e29a57f9f9bef3a8a961d854d
Instruction ID: 3e5609202706c6f26a4c47fe4ab38aee0db6b0e1e8111350a52a5bb81cd9c445
Opcode Fuzzy Hash: e422c35c28d08a3e0edaedc03c6f421a637f677e29a57f9f9bef3a8a961d854d
Instruction Fuzzy Hash: 7D1103B58002488FDB10DF9AD584BDEFBF8EB48324F10881AD918A3600C378A944CFA5

Function 08EE3030 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32 ref: 08EE308D

Memory Dump Source

Source File: 00000006.00000002.2715302620.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_8ee0000_Windows Update.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: f3933903bc7cc711361a48604753c41e02031946846545d85b98e753fb95b1d0
Instruction ID: d0439a2481b54f19672a1d3b0a6ca147e069e3804ce18085cd9a45ca683e2770
Opcode Fuzzy Hash: f3933903bc7cc711361a48604753c41e02031946846545d85b98e753fb95b1d0
Instruction Fuzzy Hash: 7A110DB5C006488FCB20DF9AE448BDEFBF8EB48324F10842AE419A3300C378A544CFA5

Function 00D8D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2708530577.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d8d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d7bda6a4875bd4186bdf3223f2dc0b4a42453f45c47d57b89ec3dc1f4bd97f
Instruction ID: fae1617523412cf2d7ae2ddedd2f63885e54a602dd985263e980f8afbc85364e
Opcode Fuzzy Hash: f2d7bda6a4875bd4186bdf3223f2dc0b4a42453f45c47d57b89ec3dc1f4bd97f
Instruction Fuzzy Hash: FA21F871504204DFDB05EF14D9C0F26BF66FB99318F2485AAD9090B2D6C33AD856D7B2

Function 00D8D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2708530577.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d8d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7280cc13d1319433126f642d42babf217be90593e0eb62b95d921823b6248ce1
Instruction ID: 31b7c9e25d181caf544cf261b1de1d1063d3a961a1131a3a5cab9a55c4094329
Opcode Fuzzy Hash: 7280cc13d1319433126f642d42babf217be90593e0eb62b95d921823b6248ce1
Instruction Fuzzy Hash: 1A21F1B1500204EFCB05EF58D9C0B26BF66FB98320F24C569E9490B2D6C33AE816D7B1

Function 00D9D498 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2708561501.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d9d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3367d61cec1e9ff09e5340b2b35d402b6fbcef5e025972d3668176a9382785
Instruction ID: 03857f1d12832101bc7ccd6238eaba725d2724d1db47e8c1da010429207648ee
Opcode Fuzzy Hash: 1c3367d61cec1e9ff09e5340b2b35d402b6fbcef5e025972d3668176a9382785
Instruction Fuzzy Hash: 50213871504204DFDF11DF14D9C0F2ABB66FB84318F24C56AD8490B256C33AE846CBB2

Function 00D9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2708561501.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d9d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 554fa34984f8a88053efe31a675707191d165ffc1b5764ff7cd9a80f6a9f8058
Instruction ID: c5a5bc676c6e71f7f69b109ad6fee6f55eb511865250e32e2ce0277eb84745b6
Opcode Fuzzy Hash: 554fa34984f8a88053efe31a675707191d165ffc1b5764ff7cd9a80f6a9f8058
Instruction Fuzzy Hash: F221F271604204DFDF14DF24D984B26BF66FB88314F24C569E94E4B296C33AD807CA71

Function 00D9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2708561501.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d9d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1ee0a9d370421b070c1b6f89d5f183421cd741ff1512896ebcf27d65fe4843
Instruction ID: e2293cc2d553c0fe383d215f426593d0bf29b5fefd20816649e2912df951f812
Opcode Fuzzy Hash: 3f1ee0a9d370421b070c1b6f89d5f183421cd741ff1512896ebcf27d65fe4843
Instruction Fuzzy Hash: 2E215E755093808FDB16CF24D994715BF72EB46314F28C5EAD8498B6A7C33A980ACB62

Function 00D8D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2708530577.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d8d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 4ff1b53bee707045cd16571a4bec2fedbb88431aaaca7aad29ad8ffa01b986f8
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 4C11D376504240DFCB16DF14D5C4B16BF72FB99314F28C6AAD9090B296C33AD85ACBA2

Function 00D8D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2708530577.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d8d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 5b9c652939d2e64f0f87aff658d711359613d2590c127e8595ec9f498fce7cee
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 2811E676504240DFCB06DF14D5C4B16BF72FB94324F28C5A9D9490B696C33AE85ACBA2

Function 00D9D493 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2708561501.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d9d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction ID: 68a166fdded524804424e184a187a090cd8977dafefff62e33bede94e81f3151
Opcode Fuzzy Hash: 58489c3f61924d27558184a5eb21aea17821769c0c96028cc0fb4c2ef8240ab9
Instruction Fuzzy Hash: 9011C476504280CFDB12CF14D5C4B19FF72FB85324F29C6AAD8494B656C33AD84ACBA2

Function 00D8D667 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2708530577.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d8d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe009e701ac80bae3d025aeffda18658c0ca7e51844300919a18f709ecb7c63a
Instruction ID: a1de9e9b5eaafb3a63db9137d5ad90b94cfbb8459ba4a4d675b9735c1bb1344c
Opcode Fuzzy Hash: fe009e701ac80bae3d025aeffda18658c0ca7e51844300919a18f709ecb7c63a
Instruction Fuzzy Hash: CCF0F976600604AF9720DF0AD985C27FBAEEFC4770719C55AE84A4B652D671EC42CFB0

Function 00D8D658 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2708530577.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_d8d000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190ae05e4a09fc692ee6386c5c85921266aff286fba44f2b3b847a4a13a9b7ec
Instruction ID: a05931167b9a6e8b1b9d638e4f61698b10657f651eee3939b16cfef0cc96fa95
Opcode Fuzzy Hash: 190ae05e4a09fc692ee6386c5c85921266aff286fba44f2b3b847a4a13a9b7ec
Instruction Fuzzy Hash: A8F03C75104684AFD3258F05C984C22BFBAEF857607198489E88A4B652C631FC42CB70

Analysis Process: WindowsUpdate.exePID: 2888, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	78
Total number of Limit Nodes:	4

Executed Functions

Function 01864AE8 Relevance: 17.1, APIs: 1, Strings: 7, Instructions: 3086
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01864E7D

Strings

(, xrefs: 01865139
-, xrefs: 0186511B
., xrefs: 0186521F
Coronovirus.Coronovirus, xrefs: 01865014
U, xrefs: 01865143
(, xrefs: 01865125
F, xrefs: 0186510D

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: InitializeThunk
String ID: ($($-$.$Coronovirus.Coronovirus$F$U
API String ID: 2994545307-4112397783
Opcode ID: 24f6683a2d1be13afe830d0ecc0a23fff04fdf27362fd8934b78384afd6ecc43
Instruction ID: 7c073fa4dd2e65862c8b09dd44b49b7ec11d892ce796279f04ce151cefdac09a
Opcode Fuzzy Hash: 24f6683a2d1be13afe830d0ecc0a23fff04fdf27362fd8934b78384afd6ecc43
Instruction Fuzzy Hash: B7533E74A412198FCB54DF69DD94B9EB7BABF88300F1085D8D80DAB369DA305E88CF54

Function 01864A57 Relevance: 16.8, APIs: 1, Strings: 7, Instructions: 2841
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 01865139
-, xrefs: 0186511B
., xrefs: 0186521F
Coronovirus.Coronovirus, xrefs: 01865014
U, xrefs: 01865143
(, xrefs: 01865125
F, xrefs: 0186510D

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID:
String ID: ($($-$.$Coronovirus.Coronovirus$F$U
API String ID: 0-4112397783
Opcode ID: 96c60c676bc995c38389ad70615192ea112e0da06e75c971bd811d3c260050d1
Instruction ID: de04b5f240962929b82011cf86a6fd315c91e6a6bc2f497d0914f55b5c02b215
Opcode Fuzzy Hash: 96c60c676bc995c38389ad70615192ea112e0da06e75c971bd811d3c260050d1
Instruction Fuzzy Hash: F2534F74A412198FCB54DF69DD94A9DB7BAFF88300F1085D8D80DAB369DA306E88CF54

Function 01864AD8 Relevance: 16.8, APIs: 1, Strings: 7, Instructions: 2779
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01864E7D

Strings

(, xrefs: 01865139
-, xrefs: 0186511B
., xrefs: 0186521F
Coronovirus.Coronovirus, xrefs: 01865014
U, xrefs: 01865143
(, xrefs: 01865125
F, xrefs: 0186510D

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: InitializeThunk
String ID: ($($-$.$Coronovirus.Coronovirus$F$U
API String ID: 2994545307-4112397783
Opcode ID: 1599f733fb1667584f67bcfc005bac637c72f4d27b7a4fe763b9090ec2acd567
Instruction ID: 4092f935a65a164192f7d7dbc0fcc795290df414b8fb53bd39716bc0918082ad
Opcode Fuzzy Hash: 1599f733fb1667584f67bcfc005bac637c72f4d27b7a4fe763b9090ec2acd567
Instruction Fuzzy Hash: 0A433F74A412199FCB54DF69DD94B9DB7BABF88300F1085D8D80DAB369DA306E88CF44

Function 01860860 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 01860C88

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 32d307f27a19854a7cba3d1459ce53b7175713840d616e24624cc445fd2000a6
Instruction ID: 897b2b771c092959aed6c1853e91f41973945fee1f2e462e449b0dae458e57b5
Opcode Fuzzy Hash: 32d307f27a19854a7cba3d1459ce53b7175713840d616e24624cc445fd2000a6
Instruction Fuzzy Hash: 7602F671E002099FDB54CF98C590AADBBB6FF49310F64855AE815EB309D334EE81CB96

Function 0186EC7D Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0186EEBE

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: df9dfb931557f786ad48b4184c8f932f54c0b705c864338bb9d657864c8bb08c
Instruction ID: acf1053e21318e84faeb9b155c296ad796addf6b28343912b96b7cc1df000edd
Opcode Fuzzy Hash: df9dfb931557f786ad48b4184c8f932f54c0b705c864338bb9d657864c8bb08c
Instruction Fuzzy Hash: C5A15B75D002198FEB21CF6CC840BEDBBB6BF58310F1485A9D818E7290DB749A85CF91

Function 0186EC88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0186EEBE

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2989d11859c473bbfbbc37bdec188e06978b3977a30ed7e0ea2a6a67c834b75e
Instruction ID: dd209c071767619378d32e2be945efde286e1fa58e220fcc698423215d081772
Opcode Fuzzy Hash: 2989d11859c473bbfbbc37bdec188e06978b3977a30ed7e0ea2a6a67c834b75e
Instruction Fuzzy Hash: 08914B75D006198FEB25CF6CC840BEEBBB6BF58310F1485A9D818E7290DB749A85CF91

Function 0186E9F8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0186EA90

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 46b8f97bc8d1f78fbe2a96ef763890f0c629f559b59405f3f98966023a91e7e1
Instruction ID: 51f2cce321906a1824b005437f35c42720de396adfef123bdc8191b72d47a19a
Opcode Fuzzy Hash: 46b8f97bc8d1f78fbe2a96ef763890f0c629f559b59405f3f98966023a91e7e1
Instruction Fuzzy Hash: A62125B59003599FDB10DFAEC885BEEBBF5FF48310F10842AE919A7240D7789944CBA0

Function 0186EA00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0186EA90

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ed5c517b21e1911625d7ce302499e098f7cf81a4f5aca4cfef7476082260ecf3
Instruction ID: 1d3704c8e8be615517748b097f631362e76e338841461d8745a851f69336e209
Opcode Fuzzy Hash: ed5c517b21e1911625d7ce302499e098f7cf81a4f5aca4cfef7476082260ecf3
Instruction Fuzzy Hash: FF2105B59003499FDB10DFAAC885BEEBBF5FF48310F10842AE919A7250D7789944CBA0

Function 0186E860 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0186E8E6

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2c31fb62528a21c2cf0185d26cd4ea119cae10e106782422409336403adfa79f
Instruction ID: bf2f7b8d3b9410f99d1de0c5948e240de27e6b2fbbf23ac79efb4e74024072e2
Opcode Fuzzy Hash: 2c31fb62528a21c2cf0185d26cd4ea119cae10e106782422409336403adfa79f
Instruction Fuzzy Hash: 62213771D002098FDB10DFAAC885BEEBBF4EF48320F14842AD519A7241CB789A45CFA0

Function 0186EAEA Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0186EB70

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e74d573380005c6f4589cf5218f7e272838574c1fe9dc0f33ed398305ff79868
Instruction ID: b5a140367007b5f82e5e589967f74d2fd90e3156acb3323852e6bc8690fbd345
Opcode Fuzzy Hash: e74d573380005c6f4589cf5218f7e272838574c1fe9dc0f33ed398305ff79868
Instruction Fuzzy Hash: 562139B1C007599FDB10DFAAC881AEEFBF5FF48320F50842AE519A7250C7389544CBA0

Function 0186E868 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0186E8E6

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dc078addcdbac844ee623ab112063c2f49f29cbda04f644ca047ac7515f04bd5
Instruction ID: 0f7a2e6e4c0f2622bc96d3d8c6fb6af6e27a9ee821f4102fab2d9be504ecc92c
Opcode Fuzzy Hash: dc078addcdbac844ee623ab112063c2f49f29cbda04f644ca047ac7515f04bd5
Instruction Fuzzy Hash: CA211875D003098FDB10DFAAC485BAEBBF4EF48310F14842AD519A7241CB789A44CFA5

Function 0186EAF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0186EB70

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9a1225642b24c2b4748488965af27ed5ec18a7ba48b100d0406aa5cb05532209
Instruction ID: 8cb24b799ec1dfe73441be47eb94cf995400ba9e1a4c93b6354712376210d424
Opcode Fuzzy Hash: 9a1225642b24c2b4748488965af27ed5ec18a7ba48b100d0406aa5cb05532209
Instruction Fuzzy Hash: 132109B1C003499FDB10DFAAC885AEEFBF5FF48310F50842AE519A7250C7789544CBA1

Function 0186D528 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(00000000,?), ref: 0186D5A8

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: aa93c448321a92069e22f09effa5cc11f88655744745e06a2ecf37b08f3696db
Instruction ID: db4cb1a8d418f0a444bc45939d00a41ccc4111770844b1eb9536eb0455508463
Opcode Fuzzy Hash: aa93c448321a92069e22f09effa5cc11f88655744745e06a2ecf37b08f3696db
Instruction Fuzzy Hash: 2E2149B1D002098FDB10DFAAC944BEFBBF9AF88314F14842AD555A7250CB799A45CFA0

Function 0186D241 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0186D2B6

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 0c5aade7ce3ed295a848fb9219a813581ed12011fc9ff9e14f7bb56ea030673b
Instruction ID: 2b26967ed2378516afd997da02bdcc827d98a3c7a4be7e5793d2d5aa6ac5afe6
Opcode Fuzzy Hash: 0c5aade7ce3ed295a848fb9219a813581ed12011fc9ff9e14f7bb56ea030673b
Instruction Fuzzy Hash: 44110BB1D006498EDB10DFAAC4446AEFBF9FF48320F508519D559A7250CB78A544CFA5

Function 0186D530 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000,?), ref: 0186D5A8

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 6072a32b0b41e6632ff1a13710cc87c9af080312b196794826bd33636e5cf8a5
Instruction ID: 3da1e07bd7bfc46819b23dc24dbe294e5e1c193502d7c05b8ea84b5cc5beae20
Opcode Fuzzy Hash: 6072a32b0b41e6632ff1a13710cc87c9af080312b196794826bd33636e5cf8a5
Instruction Fuzzy Hash: 9F211571D002098BDB14DFAAC945BAEBBF5AF88310F14842AD455A7250CB79AA44CFA1

Function 0186E938 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0186E9AE

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 83e28b42cfae9efa264e4362fe5abefb08ddfb7bf172774b3b12ae81b728546b
Instruction ID: eaf7c0d1a4b55c072003eb8a841c43d35c2b5dfb189a5818a0697c79f245d097
Opcode Fuzzy Hash: 83e28b42cfae9efa264e4362fe5abefb08ddfb7bf172774b3b12ae81b728546b
Instruction Fuzzy Hash: EE1167719002499FDB10DFAAC845BEFBFF5EF48320F108419E519A7250CB79A540CFA0

Function 01860D10 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01860D83

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a68fb23e935f1785df37d7f89eca534288e285cf7cf3748df39137dc7369dc12
Instruction ID: 781f17a89b557e3d9b538d81c073eae0ef8ec029e09702065004af3abe41ce4f
Opcode Fuzzy Hash: a68fb23e935f1785df37d7f89eca534288e285cf7cf3748df39137dc7369dc12
Instruction Fuzzy Hash: EA21F9B59006499FDB10DF9AC444BDEFBF8FF48310F108429E958A7250D778A644CFA5

Function 0186D248 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0186D2B6

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 70764152d91ff27ca12ea47b14a000b5b6802d194d7cde168b98101d4bbace56
Instruction ID: 89f7cbe2a7797e64e934b832c5ce70a0f0b955d70699b3f7f64ff89b69535ec0
Opcode Fuzzy Hash: 70764152d91ff27ca12ea47b14a000b5b6802d194d7cde168b98101d4bbace56
Instruction Fuzzy Hash: FC11F9B1D006498FDB10DFAAC444AAFFBF9FF48324F50842AD559A7250CB78A944CFA1

Function 0186E940 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0186E9AE

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 90daa59c3b30182b4430a286cb554086f44a15becc01420e3c6a67e5616c5b71
Instruction ID: 18707d05487f6f7a363c24b0c5d8d0a129b26f9a6079c4086bf5e12c0e221cf6
Opcode Fuzzy Hash: 90daa59c3b30182b4430a286cb554086f44a15becc01420e3c6a67e5616c5b71
Instruction Fuzzy Hash: 5F1137759002499FDB10DFAAC844BEFBFF5EF48320F108419E519A7250CB79A544CFA1

Function 0186E7B1 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0186E81A

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0d6523cd8cbee98ec3145f6d848af55202e948cd8b7d0b06f9b297cce14e5c7c
Instruction ID: c2f8eabd5ebb759778e78a476e4780ee7fc0ab8d90b4e3ddbe43293548749d5a
Opcode Fuzzy Hash: 0d6523cd8cbee98ec3145f6d848af55202e948cd8b7d0b06f9b297cce14e5c7c
Instruction Fuzzy Hash: 07112BB1D006498FDB14DFAAC8457EEFBF5EF48320F148429D519A7240CB79A944CB94

Function 0186E7B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0186E81A

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 79cccb56d6451c197785304e4ffd17688792660cbb5216d3f4cd90cb9652afcb
Instruction ID: 25e4ce37bab7558327bf6e70b3154e9b8af8ce83d7704a25d57fa755cc9325da
Opcode Fuzzy Hash: 79cccb56d6451c197785304e4ffd17688792660cbb5216d3f4cd90cb9652afcb
Instruction Fuzzy Hash: 2C113AB1D002498FDB14DFAAC4457EFFBF9EF88320F148419D519A7240CB79A544CBA4

Function 0186D300 Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0186D367

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4232a566a395699ad06f93641f32f88a4880ab3c47b0e894cf25216680264f0b
Instruction ID: 2a6c8aa16a6a278dc57f5c6e01576b7d4c3b89f901e13ee548cd4b0dd682f786
Opcode Fuzzy Hash: 4232a566a395699ad06f93641f32f88a4880ab3c47b0e894cf25216680264f0b
Instruction Fuzzy Hash: CE1133B1900248CFCB10DF99E544BEEBBF8FB48320F20841AD558A7250D378A944CFA1

Function 0186A884 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0186D367

Memory Dump Source

Source File: 0000000C.00000002.3340501641.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1860000_WindowsUpdate.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5eed5c8b0b68df6027d949f22573c137c79ea5ab4378786c8a3717b29fa03d0c
Instruction ID: c45739a9304c1a2c57a6cf152b1df1f7f20f9e040bb9d543eee469a6e6347c91
Opcode Fuzzy Hash: 5eed5c8b0b68df6027d949f22573c137c79ea5ab4378786c8a3717b29fa03d0c
Instruction Fuzzy Hash: 191103B1900649CFCB10DF9AD544B9EFBF8EB48324F20845AE558A7240D778A944CFA5

Function 017AD01C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3339671123.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17ad000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac0a5e2a61299bb6230013e180facd886886f09214b02ede7e941639e5fd209
Instruction ID: 7e0efd95efc7bd49c017fcc65946fc6b38ef4e18ad95ba0d6c5a415da4125977
Opcode Fuzzy Hash: 4ac0a5e2a61299bb6230013e180facd886886f09214b02ede7e941639e5fd209
Instruction Fuzzy Hash: A1212FB06842009FCB25DF68C584B27FBA5FBC4314F60C6ADE8494B652C33AD807C662

Function 017AD017 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3339671123.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_17ad000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d49e4a1442b6ae817b54e6d01109cf66e3cf9bb30be93c629efda23a912acd
Instruction ID: 9428abd89dd88bd794e4dfe0fb4b7dbdf20a981a3e1132dd35969c297f7f3bef
Opcode Fuzzy Hash: 93d49e4a1442b6ae817b54e6d01109cf66e3cf9bb30be93c629efda23a912acd
Instruction Fuzzy Hash: F3119D75544284CFDB26DF14D588B16FFA1FB84214F24C6A9D8494BA52C33AD84ACB52

Function 05760560 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3365600031.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5760000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e8311e824d04aeacca5d1e3b9f22c9511ea7c7ce4131e74fb51722760b825a
Instruction ID: d96d0aba331e699d518e09f1313dca43f5e4bc6ddb6d958363efc051266c5b5e
Opcode Fuzzy Hash: 18e8311e824d04aeacca5d1e3b9f22c9511ea7c7ce4131e74fb51722760b825a
Instruction Fuzzy Hash: BAF030749093C49FC352DFB4C8589597FF0AF07201F1A81EBD884CB2A3D6308A44EB52

Function 05760AA4 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3365600031.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5760000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb7ff87779e751235f07266728290bd1f8be8f86c89bcbc61ab9da02cf2629a
Instruction ID: f41854aaab4ce3009439454272cca90b7b12493434dd98e8bada51b50b373a8f
Opcode Fuzzy Hash: deb7ff87779e751235f07266728290bd1f8be8f86c89bcbc61ab9da02cf2629a
Instruction Fuzzy Hash: C2E0ED7040F388AFD3138B7889185657F38DB13255B1941EFD8859A5A3CA360E54EBA2

Function 05760580 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3365600031.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5760000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c91c8576e4cfe6e8b73892a4cd4b77ff18ac5c3e3ced859e96d8f0d23eaf19
Instruction ID: c26fe5ccfb043d4d0f40c60a94609cd2af8d8fad8d820c492eaf99226a39c201
Opcode Fuzzy Hash: 44c91c8576e4cfe6e8b73892a4cd4b77ff18ac5c3e3ced859e96d8f0d23eaf19
Instruction Fuzzy Hash: 56E0B674911208DFC750DFA8D589A9CBFF4AB08201F6040E9E90597361EA319E50EB81

Function 05760AC0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3365600031.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5760000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cabda00d009bb61f79a017ec374db2356c7ff7bc46add1fb19b00a2e5f544b8
Instruction ID: 2cebb764260b04865de4ce3d81bf39b38d03138c121f4ccc0afe560b7320d70c
Opcode Fuzzy Hash: 8cabda00d009bb61f79a017ec374db2356c7ff7bc46add1fb19b00a2e5f544b8
Instruction Fuzzy Hash: 29D0A970402208DFC314DBA88104699772CEB01211F2000AC980422280CE328A40E681

Analysis Process: WindowsUpdate.exePID: 6364, Parent PID: 2888COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	70
Total number of Limit Nodes:	7

Executed Functions

Function 017BD3E8 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017BD64E

Memory Dump Source

Source File: 0000000E.00000002.2859920378.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_17b0000_WindowsUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 069027ee88ba8bfdb8e8967ad4bd502be08afcc486ecf352ef741d925d686cdd
Instruction ID: 9c88e8ebd6baf5d54a13931829abd0b27b133ed58cd24abd503c86ca8a989333
Opcode Fuzzy Hash: 069027ee88ba8bfdb8e8967ad4bd502be08afcc486ecf352ef741d925d686cdd
Instruction Fuzzy Hash: 7D816970A00B058FD725DF69D49479ABBF5FF88308F108A2ED44AD7A50DB79E849CB90

Function 017BC45C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 017BFB02

Memory Dump Source

Source File: 0000000E.00000002.2859920378.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_17b0000_WindowsUpdate.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0814bf4ecca7bfce03fc1abfe961a022c0d4704be0ef1358ebe115fabe5a7ecc
Instruction ID: 31c9f96b6bc0343a8d802752d58c888ca4ef4a56a3499443fad7991e0f9223ad
Opcode Fuzzy Hash: 0814bf4ecca7bfce03fc1abfe961a022c0d4704be0ef1358ebe115fabe5a7ecc
Instruction Fuzzy Hash: 6251C0B1D003099FDB14DFAAC994ADEFFB5BF48710F24812AE819AB210D7749945CF90

Function 017B7768 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017B772F

Memory Dump Source

Source File: 0000000E.00000002.2859920378.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_17b0000_WindowsUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 701c0313d352de115fe724a23fceb3987ec611cbd98161f95df26b65524ecfaa
Instruction ID: 605f0642ba4895851b7ba57f8e17083490e3a8b75ae5b9465cee5a9e1ef7f441
Opcode Fuzzy Hash: 701c0313d352de115fe724a23fceb3987ec611cbd98161f95df26b65524ecfaa
Instruction Fuzzy Hash: 7F4119B4A102089FE704DF65E586BAA7FB6FB98311F208169FA0597380CB785C55DF22

Function 017B76A0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017B772F

Memory Dump Source

Source File: 0000000E.00000002.2859920378.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_17b0000_WindowsUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b103a12f913b9628c199b0b28342c89d64b64f436dc17fd97894f0e5b4846ed2
Instruction ID: 865fb03a39fb52af88fbe9b50cc53274b905fe979b05684062a9c670a2aaeb4d
Opcode Fuzzy Hash: b103a12f913b9628c199b0b28342c89d64b64f436dc17fd97894f0e5b4846ed2
Instruction Fuzzy Hash: 8E21E3B5900248AFDB10CFAAD985ADEBFF5EB48310F14801AE918A3350D378A945CFA1

Function 017B76A8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017B772F

Memory Dump Source

Source File: 0000000E.00000002.2859920378.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_17b0000_WindowsUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1c0a0d86e50a0d001f8a106bac4400bd0f9d74bceba7a2e2df4c470a873de7d6
Instruction ID: 92e700649c68eb21befd5bb3450345e4383cec58ef7ab3485ff496b6df6a6a67
Opcode Fuzzy Hash: 1c0a0d86e50a0d001f8a106bac4400bd0f9d74bceba7a2e2df4c470a873de7d6
Instruction Fuzzy Hash: 5821D3B59002489FDB10CFAAD984ADEFFF9FB48310F14841AE918A3350D378A944CFA5

Function 017BD5E8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 017BD64E

Memory Dump Source

Source File: 0000000E.00000002.2859920378.00000000017B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_17b0000_WindowsUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cd00a27098aa78f146aba3658e42c4a225fd8b85a8561c868b5647b437166088
Instruction ID: 9281493d1001b089fe8e519007964e429d501e4fea094dfa22f00e8b229211ba
Opcode Fuzzy Hash: cd00a27098aa78f146aba3658e42c4a225fd8b85a8561c868b5647b437166088
Instruction Fuzzy Hash: 8511DFB6C003498FDB20DF9AD444BDEFBF5AB88328F14842AD529A7210C379A545CFA5

Function 0155D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2771610541.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_155d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a626a293317e5240e41fd531cdd734ebf99df7526a32cf778bda23ce2cb2284
Instruction ID: ced09656124a71573971f759629d66cd3a95f1ded2cb0e0b3dd13aba0613cdf2
Opcode Fuzzy Hash: 1a626a293317e5240e41fd531cdd734ebf99df7526a32cf778bda23ce2cb2284
Instruction Fuzzy Hash: 96210672500204DFDB45DF98D9D0B1ABFB5FB88318F20856ADD090F256C33AD456CAA2

Function 0155D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2771610541.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_155d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cb9530c37cc66cc34df1b6a842140f35128d8d8d147717485c0494b8eb1177
Instruction ID: 399196325cb8277ad4941787f38186d72b7fe8b511866ad664812400af42866e
Opcode Fuzzy Hash: c2cb9530c37cc66cc34df1b6a842140f35128d8d8d147717485c0494b8eb1177
Instruction Fuzzy Hash: AA21F172500204DFDB45DF98D9D0B6ABFB5FB98320F20C56AED090F256C37AE456C6A2

Function 0156D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2787164736.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_156d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2eff684d7048a5447678e789f83189bb0e916ca7b0b4c87557ebb2b617af990
Instruction ID: 0f73df53db8fc6ab560c7c470f086e73c08e1a46fe10c16f3776500146425dae
Opcode Fuzzy Hash: b2eff684d7048a5447678e789f83189bb0e916ca7b0b4c87557ebb2b617af990
Instruction Fuzzy Hash: 64210375604204DFCB15DF68D580B26BFB9FB88324F20C969D9890F256D33BD406CAA1

Function 0156D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2787164736.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_156d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 395e43eff318f161ada2d1a86243109eaaf0bca53fe4a293d4cd7d9300c8029c
Instruction ID: bed918291da03b5c45d0c9a1838c39bd5ac9f0eec7f1bc434a592506cd3f78f6
Opcode Fuzzy Hash: 395e43eff318f161ada2d1a86243109eaaf0bca53fe4a293d4cd7d9300c8029c
Instruction Fuzzy Hash: 162183755093808FD703CF24D594715BF71FB46214F28C5DAD8898F267C33A980ACBA2

Function 0155D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2771610541.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_155d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 84b5f7d1cce7c3b99e878a71d7fddede82baf5ff058d18f6f2326696a28e66da
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 3B11AF76504240CFDB16CF54D5C4B1ABF71FB88318F2486AADD490F656C33AD45ACBA2

Function 0155D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2771610541.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_155d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 135dc40a949cf629af2b14226e7ad391144fff9ff9b63e41737bee1ad8fa9709
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 7711DF72404240CFDB02CF44D5C4B5ABF72FB84320F24C5AADD090B656C33AE45ACBA2

Analysis Process: WindowsUpdate.exePID: 5392, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	74
Total number of Limit Nodes:	0

Executed Functions

Function 01354AE8 Relevance: 15.3, APIs: 1, Strings: 6, Instructions: 3086
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01354E7D

Strings

(, xrefs: 01355125
-, xrefs: 0135511B
U, xrefs: 01355143
F, xrefs: 0135510D
., xrefs: 0135521F
(, xrefs: 01355139

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: InitializeThunk
String ID: ($($-$.$F$U
API String ID: 2994545307-2826122012
Opcode ID: 25b192d17137a890660b7554c01352b576db40f320f810e9083223e1373c06c4
Instruction ID: 560e5ef614cdd11398815da97fd60aa358a6746fb0edc0207fb06ace948c8d44
Opcode Fuzzy Hash: 25b192d17137a890660b7554c01352b576db40f320f810e9083223e1373c06c4
Instruction Fuzzy Hash: 2F532F74A402198FCB54DF69DD94A9EB7BABF88300F1085DDD90DAB369DA306E84CF44

Function 01354AD8 Relevance: 15.0, APIs: 1, Strings: 6, Instructions: 2777
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01354E7D

Strings

(, xrefs: 01355125
-, xrefs: 0135511B
U, xrefs: 01355143
F, xrefs: 0135510D
., xrefs: 0135521F
(, xrefs: 01355139

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: InitializeThunk
String ID: ($($-$.$F$U
API String ID: 2994545307-2826122012
Opcode ID: 5e9cf481c4978354d5534152109a31e6a4421156858c25f3715dab6703634855
Instruction ID: ab8c6fb9a099277ac299e50a0165ad9fa24c28b978348f07462b6b62b9749803
Opcode Fuzzy Hash: 5e9cf481c4978354d5534152109a31e6a4421156858c25f3715dab6703634855
Instruction Fuzzy Hash: 1E432F74A402298FCB54DF69DD94A9DB7BABF88300F1085DDD80DAB369DA306E84CF54

Function 01350720 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 01350C88

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2771afbbecb63f341fcc4801956a009fbca0519ee76587085767a93b22ac7561
Instruction ID: a301166f74b8337cc47a58c58a1b626f36a378645a961ecb048a5a2adadc3ae3
Opcode Fuzzy Hash: 2771afbbecb63f341fcc4801956a009fbca0519ee76587085767a93b22ac7561
Instruction Fuzzy Hash: EB020971E002098FDB68CF98C490AADBBB2FF49714F64855AEC15EB249D335ED81CB91

Function 0135EC7D Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0135EEBE

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 19643f087b23f681c3b05ec42ea03747a7a4945939ae0e2f4db06eabdc2db8be
Instruction ID: d67683018be7f7affc07bf3a8c2995b33e5926d0e7f3b2a606651f141b9cabf5
Opcode Fuzzy Hash: 19643f087b23f681c3b05ec42ea03747a7a4945939ae0e2f4db06eabdc2db8be
Instruction Fuzzy Hash: 9FA14A71D002198FEB64CF68C841B9DFBB2BF48714F1485AAD818A7250DB759A85CF91

Function 0135EC88 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0135EEBE

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e92e2f8e85d5e3e65925764d957b35bd77bf3c44906121edf05c543ba6605817
Instruction ID: c816c7cbba8b1b264e51355b3ccb370933e73fce74ee1726a5702cf2da5cb57b
Opcode Fuzzy Hash: e92e2f8e85d5e3e65925764d957b35bd77bf3c44906121edf05c543ba6605817
Instruction Fuzzy Hash: 41915971D002198FEB64CF68C841BADFBB2BF48714F1485AAD818A7290DB749A85CF91

Function 0135EA00 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0135EA90

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 1d62d91de26e4cebc489297198188d1bc060d2091af1eac2d69d455aa5093728
Instruction ID: 23da9cc5e304bbc7d47a3a26ced86d8a2fe9a07d87956b159758d5e2e6d5ee70
Opcode Fuzzy Hash: 1d62d91de26e4cebc489297198188d1bc060d2091af1eac2d69d455aa5093728
Instruction Fuzzy Hash: CB2105B59003499FDB10DFAAC885BEEBBF5FF48314F10842AE919A7250D7789944CBA4

Function 0135E9F8 Relevance: 1.6, APIs: 1, Instructions: 68
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0135EA90

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bdd357aa22e61f9d48d49082eef53994179031b61146e3c17af3463b191ccf67
Instruction ID: bac54981e24f005fb292550f2c19bdb61e0962886467797b928b60188758c845
Opcode Fuzzy Hash: bdd357aa22e61f9d48d49082eef53994179031b61146e3c17af3463b191ccf67
Instruction Fuzzy Hash: F02128B5D003099FDB50DFA9C985BEEBBF5FF48310F10882AE919A7250D7789544CBA0

Function 0135EAEB Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0135EB70

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 85316a467f9ac4bb7d9021ae69003023a7751f1d6f39c4532e1c67b10dc69399
Instruction ID: ad1872e5124d421e2094f4710f13a07772c933c6abe56ea14244b879ab550260
Opcode Fuzzy Hash: 85316a467f9ac4bb7d9021ae69003023a7751f1d6f39c4532e1c67b10dc69399
Instruction Fuzzy Hash: A52109B1C003499FDB10DFAAC885AEEFBF5FF48320F508429E919A7250C7789544DBA4

Function 0135E868 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0135E8E6

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6471ed69193b7172257f0e92a0116c433839908ce52501ae42c339e6d864d632
Instruction ID: 7251173946f1b01bceec77ac01d909c3b4afbce0805eded85eb7f842649e6476
Opcode Fuzzy Hash: 6471ed69193b7172257f0e92a0116c433839908ce52501ae42c339e6d864d632
Instruction Fuzzy Hash: AC21F5B1D002098FDB50DFAAC485BAEBFF4EF48714F148429D519A7240CB789A44CBA5

Function 0135EAF0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0135EB70

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 9dd2688d99ed53ad8cfdf0bdb20f2e10918aa74cd45fc08250d967a5c7748031
Instruction ID: c65dd26ec5cbfc71e1bb24afc23981f8426fcd8028751f444e49fe067efb980b
Opcode Fuzzy Hash: 9dd2688d99ed53ad8cfdf0bdb20f2e10918aa74cd45fc08250d967a5c7748031
Instruction Fuzzy Hash: 002109B1C003499FDB10DFAAC845AEEFBF5FF48310F508429E919A7250C7789544DBA4

Function 0135E860 Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0135E8E6

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cb720f3c977e750d9fae68c3d1f6bcf82ffe5e39aac099c708e13bcf6c4faf92
Instruction ID: c746c77b6b988e5136cdce845f65aeb8135ccb5380a620030ca7248752965418
Opcode Fuzzy Hash: cb720f3c977e750d9fae68c3d1f6bcf82ffe5e39aac099c708e13bcf6c4faf92
Instruction Fuzzy Hash: 642123B1D003098FDB50DFAAC585BAEFBF5EF48724F14842AD519A7240DB789A45CFA0

Function 0135D528 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(00000000,?), ref: 0135D5A8

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: b39b4996bb2c835853fff5b423d6ef3eb9a7ee55704bee956e9e5de74cf82a55
Instruction ID: 53bf34936fb969828f7e4c2e00f4e5ece4f73488ba7c5782a824a9c19cd056ce
Opcode Fuzzy Hash: b39b4996bb2c835853fff5b423d6ef3eb9a7ee55704bee956e9e5de74cf82a55
Instruction Fuzzy Hash: A32127B1D002098FDB14DFAAC944BEFFBF5AF88314F14842AD515A7290CB799945CFA4

Function 0135D530 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000,?), ref: 0135D5A8

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 412a8138807bb16cccd4effc64319056a7007c4a5bb360821530b769a10a2302
Instruction ID: dd884be8ea17482065fbe1e9440a499588711f82be56053675ac72fc15679416
Opcode Fuzzy Hash: 412a8138807bb16cccd4effc64319056a7007c4a5bb360821530b769a10a2302
Instruction Fuzzy Hash: 612115B1D002098FDB14DFAAC945BAEFBF5AF88314F10842AD515A7250CB79A944CFA0

Function 01350D09 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01350D83

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 086b9c7179e387cd969ef9f2baf6be557a2fa77496cbe8c7b33b82b924345ac2
Instruction ID: 3efa014f91d83ff35b779b77fdb733fe9970bfe38d3300bb3b5db07817fd7abd
Opcode Fuzzy Hash: 086b9c7179e387cd969ef9f2baf6be557a2fa77496cbe8c7b33b82b924345ac2
Instruction Fuzzy Hash: 4921E2B59002499FDB10DFAAC484ADEFBF4BF49324F108429E958A7251D379A544CFA1

Function 0135D241 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0135D2B6

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 8deeb647cd4cde5244d2af4a9ddb9c2a38eebf7182ffee512650f26c65717423
Instruction ID: 2f82e237f8c36fdce38382ef04a4c39e4d88201149ea599eb9231f33d7710cb2
Opcode Fuzzy Hash: 8deeb647cd4cde5244d2af4a9ddb9c2a38eebf7182ffee512650f26c65717423
Instruction Fuzzy Hash: D21114B1D002498EDB10DFAAC584AAFFBF4FF48324F10842AD519A7250CB78A944CFA0

Function 01350D10 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 01350D83

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 84720e540f2c6524c1d1227bea15e159c64d4850ac2b86088909733c51b39746
Instruction ID: a0b91e990cb85f236c197611527a3295658254809bd28eba1ae3530ade8defec
Opcode Fuzzy Hash: 84720e540f2c6524c1d1227bea15e159c64d4850ac2b86088909733c51b39746
Instruction Fuzzy Hash: DC21E4B59002499FDB10DF9AC884BDEFBF8FF48320F108429E958A7250D779A544CFA5

Function 0135D248 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 0135D2B6

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: a0e028321188be9844f6da0c340bb8db4a278074ea23fc1c5eaad8dd540e0e2f
Instruction ID: c96877d982c857f569db56871bb7c460b9282a3c1131e6a77f0c477ec4df7743
Opcode Fuzzy Hash: a0e028321188be9844f6da0c340bb8db4a278074ea23fc1c5eaad8dd540e0e2f
Instruction Fuzzy Hash: 8311E7B1D002098FDB10DFAAC444AAFFBF4EF48724F50842AD519A7250CB79A944CFA5

Function 0135E940 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0135E9AE

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4403543f5bd1e8619169589ec7d474a2099516f8f67c0e9eaaf1819a2e02b7ad
Instruction ID: 78082a92883d10c80158d74c0743a028760e44431714c58c5a353cac8ee3e261
Opcode Fuzzy Hash: 4403543f5bd1e8619169589ec7d474a2099516f8f67c0e9eaaf1819a2e02b7ad
Instruction Fuzzy Hash: 231137B19002499FDB10DFAAC844AEFFFF5EF48324F108419E519A7250CB79A544CFA0

Function 0135E938 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0135E9AE

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d659f1fd63d62d650106178bd5dd54caad1a000b33db53c8c1dd760942979b9d
Instruction ID: 685d7441b2c57f5a80771bb23fe22f6f39cf936e5c96d072642b90d3a8e74b93
Opcode Fuzzy Hash: d659f1fd63d62d650106178bd5dd54caad1a000b33db53c8c1dd760942979b9d
Instruction Fuzzy Hash: 091126B59002099FDB10DFA9C945AEEFBF5EF48324F208819E519A7250CB799544CFA0

Function 0135E7B8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0135E81A

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: bef51f26e8ce5a527539bde4338fd7f931500fb7d2cdc1211029473f529c6724
Instruction ID: 48216de961a629d015593f3709139e7b127e78e92200f6c0daeb1d7fe7d19659
Opcode Fuzzy Hash: bef51f26e8ce5a527539bde4338fd7f931500fb7d2cdc1211029473f529c6724
Instruction Fuzzy Hash: CC1128B1D002488FDB14DFAAC845BAEFFF5EF88724F248429D519A7250CB79A544CBA4

Function 0135E7B1 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0135E81A

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 403a7d7516a793a4e9d501e0a838c64f1455aa3c888932107d2275d557d76ae3
Instruction ID: a5b5dcfb7efb487e3c754cd699a9c525ffccefe6c037f1c0ef871557d68974af
Opcode Fuzzy Hash: 403a7d7516a793a4e9d501e0a838c64f1455aa3c888932107d2275d557d76ae3
Instruction Fuzzy Hash: 5B1128B5D003488FDB14DFAAC5457EEFBF5AF48724F24882AD519A7250CB38A544CBA4

Function 0135D300 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0135D367

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 4d470789c6f857bc9067432589dd668348ce2d2225a98d17f90d99b3cc51865d
Instruction ID: f418bbfff2ef8a94256b955e8da6916e163e031cda5ee591b7dcdd10fbe782f2
Opcode Fuzzy Hash: 4d470789c6f857bc9067432589dd668348ce2d2225a98d17f90d99b3cc51865d
Instruction Fuzzy Hash: 4B1103B5800248CFDB10DF99D444BDEBBF4EB48714F20841AD518A7750C378A944CFA5

Function 0135A884 Relevance: 1.3, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 0135D367

Memory Dump Source

Source File: 0000000F.00000002.3340393180.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1350000_WindowsUpdate.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9bb5a0cc0b71e23c4c5c3dc8f17bf1d961f79e77ae0b9332c258add62d2045ee
Instruction ID: 25dd367f61126f43f0f04b4970576549f4a04c6bac29bff79403f55522540982
Opcode Fuzzy Hash: 9bb5a0cc0b71e23c4c5c3dc8f17bf1d961f79e77ae0b9332c258add62d2045ee
Instruction Fuzzy Hash: D11103B5800349CFCB50DF9AD444B9EFBF8EB48724F20845AD918A7351C778A944CFA5

Function 0130D01C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3339896304.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_130d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed85675a8e2a9a120b13c22e5fa883aa4300d336934f8bea72e0915b65a8f051
Instruction ID: 04567d843860181827432af1e108f7a2bd3f429d6a94ffab08c5932d909d3088
Opcode Fuzzy Hash: ed85675a8e2a9a120b13c22e5fa883aa4300d336934f8bea72e0915b65a8f051
Instruction Fuzzy Hash: AC21F5705042449FD716DFA8D594B26BBE9FB84358F20C56DD90D4B692C33AD807C661

Function 0130D017 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3339896304.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_130d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d49e4a1442b6ae817b54e6d01109cf66e3cf9bb30be93c629efda23a912acd
Instruction ID: 0c685aa4429a443d3eef04b6a573d4a99ea652a096fdb864500800ffef53db32
Opcode Fuzzy Hash: 93d49e4a1442b6ae817b54e6d01109cf66e3cf9bb30be93c629efda23a912acd
Instruction Fuzzy Hash: 6911DA75504280CFDB12DF58CA98B15BFA1FB84218F24C6AAD8494B692C33AD80ACB52

Analysis Process: WindowsUpdate.exePID: 1524, Parent PID: 5392COMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	4

Executed Functions

Function 00FF740F Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FF74DE
GetCurrentThread.KERNEL32 ref: 00FF751B
GetCurrentProcess.KERNEL32 ref: 00FF7558
GetCurrentThreadId.KERNEL32 ref: 00FF75B1

Memory Dump Source

Source File: 00000010.00000002.3034728055.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff0000_WindowsUpdate.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 52101bf0b1528176a2f9ae85752ce99aa5af985afd601b76add0b081b9c307c2
Instruction ID: 7c2641d20ba02308c772b0355b85d541fcde2119e0f308c6c8f612b06a1794ee
Opcode Fuzzy Hash: 52101bf0b1528176a2f9ae85752ce99aa5af985afd601b76add0b081b9c307c2
Instruction Fuzzy Hash: 5251BDB0D043498FDB18DFA9D548BAEBFF1FF49314F288499D109A7262C778A845CB61

Function 00FF7460 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FF74DE
GetCurrentThread.KERNEL32 ref: 00FF751B
GetCurrentProcess.KERNEL32 ref: 00FF7558
GetCurrentThreadId.KERNEL32 ref: 00FF75B1

Memory Dump Source

Source File: 00000010.00000002.3034728055.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff0000_WindowsUpdate.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: af0fafa58444ba60f9a6657039c1dc2d56acbe1e2f84df4a54d3dc929e222411
Instruction ID: eea3719773927ae1719494d7e69454891baa236fec5436936b0d11676c176ffe
Opcode Fuzzy Hash: af0fafa58444ba60f9a6657039c1dc2d56acbe1e2f84df4a54d3dc929e222411
Instruction Fuzzy Hash: 505174B0D003498FDB14EFAAD548BAEBBF5FF48314F248459E109B7260D778A944CB65

Function 00FF745B Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00FF74DE
GetCurrentThread.KERNEL32 ref: 00FF751B
GetCurrentProcess.KERNEL32 ref: 00FF7558
GetCurrentThreadId.KERNEL32 ref: 00FF75B1

Memory Dump Source

Source File: 00000010.00000002.3034728055.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff0000_WindowsUpdate.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f7214af27e74ef37753b50c0ecac3d3dccd8f1462adf97af0d3dd47a5ccdaabc
Instruction ID: 4a6dc33cb17acc423d73d4a630bd80eabddb08dd94aef529aa6d80219e6d1e6f
Opcode Fuzzy Hash: f7214af27e74ef37753b50c0ecac3d3dccd8f1462adf97af0d3dd47a5ccdaabc
Instruction Fuzzy Hash: B15153B09003498FDB14DFA9D648BAEBBF1FF48314F248499E509B7260D778A944CB65

Function 00FFF9F0 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00FFFB02

Memory Dump Source

Source File: 00000010.00000002.3034728055.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff0000_WindowsUpdate.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 59784600e17367bb47ae8829efa1c7e6ae18d353346b6df1754e9bc9208aab2d
Instruction ID: c3df1263a94f57727d3c3f4877b62d6592978f1c97efd921a2a6f629b99f13ae
Opcode Fuzzy Hash: 59784600e17367bb47ae8829efa1c7e6ae18d353346b6df1754e9bc9208aab2d
Instruction Fuzzy Hash: CB41AFB1D00349DFDB14CF9AC994ADEBBB5BF88710F24812AE918AB220D7759945CF90

Function 00FF7768 Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FF772F

Memory Dump Source

Source File: 00000010.00000002.3034728055.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff0000_WindowsUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9cc1612982da249af952a65ef03e9d0b96b912a725cb119ec0003e5af80c7780
Instruction ID: c0fcb8baecaf07ce1faff08159fc97d1a5e406daad22519d58435f27cb9fd88f
Opcode Fuzzy Hash: 9cc1612982da249af952a65ef03e9d0b96b912a725cb119ec0003e5af80c7780
Instruction Fuzzy Hash: 8D316DB5A403419FE724AF61E44977E7BB6F789744F208829EA468B389CB745C11CF21

Function 00FF76A8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FF772F

Memory Dump Source

Source File: 00000010.00000002.3034728055.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff0000_WindowsUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 274daac05618d648668fd37fe92b6ef7b8cb025dc639f6fea4874b13b2e2523a
Instruction ID: 778f400e8c14575f6e9dddbb0b575f9b576f561c6baa8fff8726521f56f0ec2f
Opcode Fuzzy Hash: 274daac05618d648668fd37fe92b6ef7b8cb025dc639f6fea4874b13b2e2523a
Instruction Fuzzy Hash: 2E21B3B59002489FDB10DFAAD584AEEFBF9FB48710F14841AE918A3250D378A944CFA5

Function 00FF76A3 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FF772F

Memory Dump Source

Source File: 00000010.00000002.3034728055.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff0000_WindowsUpdate.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b1ef72f0f0a80f3f798ade9e3c7b0fa7b8db396eb36a691d66c5d0a47dbd1c4d
Instruction ID: a4414729f341a6b052b75fa4234894405d2d009cea1fdaa1d078352bd4baaa13
Opcode Fuzzy Hash: b1ef72f0f0a80f3f798ade9e3c7b0fa7b8db396eb36a691d66c5d0a47dbd1c4d
Instruction Fuzzy Hash: B921E0B59002489FDB10DFAAD984AEEBFF5FF48310F14841AE918A7210D378A940CFA4

Function 00FFD5E8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00FFD64E

Memory Dump Source

Source File: 00000010.00000002.3034728055.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_ff0000_WindowsUpdate.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1b00c75ed9eff3808998fb80dea62ab6f0f0c84ad03053c5ad54ae18f99203f8
Instruction ID: ae5093ef8df7de97190ff4c8c82bcf343338c122cd0a318c66fe0741c85e4879
Opcode Fuzzy Hash: 1b00c75ed9eff3808998fb80dea62ab6f0f0c84ad03053c5ad54ae18f99203f8
Instruction Fuzzy Hash: 3611E0B5C003498FDB10DF9AC444ADEFBF5EF88724F10841AD929A7610C379A545CFA5

Function 00F9D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2995729223.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f9d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b40c4d51e87100a7a9c0e4e6c87768597d3b63e84558e908ac237204e71ea94
Instruction ID: d6cca9273bde99339fc4be34f5aa6cc618cc12bb1794188dfb46a2447e98c204
Opcode Fuzzy Hash: 1b40c4d51e87100a7a9c0e4e6c87768597d3b63e84558e908ac237204e71ea94
Instruction Fuzzy Hash: BD21D372544204DFEF05DF18D9C0B26BF65FB98324F34C569E9090B256C33AE856EAA2

Function 00F9D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2995729223.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f9d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67bb250c4710c734f82a23ca7d3b60224e1e7749b39c1b02d4666f4de68cc2d
Instruction ID: 575babc9301bf160ed3f18875b1366b83845faa11e9c64f0af035844f26deb6b
Opcode Fuzzy Hash: a67bb250c4710c734f82a23ca7d3b60224e1e7749b39c1b02d4666f4de68cc2d
Instruction Fuzzy Hash: 4121F872904204DFEF05DF14D9C0F26BF65FB98328F398569D9090B256C33AD856EBA2

Function 00FAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3003231373.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fad000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351eec9894a26c1af9ee251d33709e5b6587e882d0b240d25ef1767eeeb128da
Instruction ID: b2427368c5a40da79c5ea1af31fddedd8c4e35e63f0c6d443c2fa02466ff9d70
Opcode Fuzzy Hash: 351eec9894a26c1af9ee251d33709e5b6587e882d0b240d25ef1767eeeb128da
Instruction Fuzzy Hash: B921F2B5604204DFCB14DF24D984B26BF65FB89324F20C569D94A4B69AC33AD807EA62

Function 00FAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.3003231373.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_fad000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfac97522be1cd7614b78f2eeb6df341476410ba1c640c6ba06016a3b55e934a
Instruction ID: d7eda8e9cfdc51d257d4907754b89648cc9c45d8612f893d1b094c43a87ba076
Opcode Fuzzy Hash: bfac97522be1cd7614b78f2eeb6df341476410ba1c640c6ba06016a3b55e934a
Instruction Fuzzy Hash: 152162755093C08FDB12CF24D994715BF71EB46314F28C5EAD8498F6A7C33A980ADB62

Function 00F9D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2995729223.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f9d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: bc3685b8b8ac8900549d2e851253c86c5d834aa3dcd43aa20ade58f27897227c
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 8A11DF72804240CFDF06CF14D5C4B16BF62FB94324F34C5A9D9090B656C33AE85ADBA2

Function 00F9D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2995729223.0000000000F9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_f9d000_WindowsUpdate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 7cfa061f23dc91639512168c5b372c72bd419db8516d5bd736e0cec8feb110c1
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: AA11AF76904240CFDF16CF14D5C4B16BF71FB98328F28C6A9D9090B256C33AD85ADBA2

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bpaymentcopy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: HawkEye

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Windows Update.e_67ef924b4c8d0c34ff9852e7fa92ec091c8d53_a7701f3f_439551e8-647b-4809-b1bd-c96247e73b88\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WindowsUpdate.ex_a8a48848cdd537f5d7a114773494bcb74310219d_c64eec3f_811ffd07-e382-45cb-b647-e69203908424\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER755D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER77FE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER785D.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8928.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8BC9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C18.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WindowsUpdate.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bpaymentcopy.exe.log

C:\Users\user\AppData\Local\Temp\SysInfo.txt

C:\Users\user\AppData\Roaming\Windows Update.exe

Windows Analysis Report
bpaymentcopy.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre