Windows Analysis Report
Payment-Inv.exe

Overview

General Information

Sample name: Payment-Inv.exe
Analysis ID: 1538475
MD5: d4a26c141b32a5d61efbe2e7f69c0d00
SHA1: b66b6969264564861d5121a6a822b87de385ae91
SHA256: b25969ec654bac567f82da096178825f2e7b89e03a9e4f7ac6ae2ae98aaa6b08
Tags: exeuser-TeamDreier
Infos:

Detection

DarkCloud
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DarkCloud
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample has a suspicious name (potential lure to open the executable)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May check the online IP address of the machine
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
DarkCloud Stealer Stealer is written in Visual Basic. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Payment-Inv.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Avira: detection malicious, Label: TR/VB.Downloader.Gen
Found malware configuration
Source: Payment-Inv.exe Malware Configuration Extractor: DarkCloud {"Exfil Mode": "SMTP", "To Address": "purchase.accounts@ahlada.com", "From Address": "purchase.accounts@ahlada.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe ReversingLabs: Detection: 73%
Multi AV Scanner detection for submitted file
Source: Payment-Inv.exe ReversingLabs: Detection: 73%
Source: Payment-Inv.exe Virustotal: Detection: 80% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Payment-Inv.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: Payment-Inv.exe String decryptor: Cookies
Source: Payment-Inv.exe String decryptor: ^(0x){1}[0-9a-fA-F]{40}$
Source: Payment-Inv.exe String decryptor: ^([13][a-km-zA-HJ-NP-Z1-9]{25,34})|^((bitcoincash:)?(q|p)[a-z0-9]{41})|^((BITCOINCASH:)?(Q|P)[A-Z0-9]{41})$
Source: Payment-Inv.exe String decryptor: ^([r])([1-9A-HJ-NP-Za-km-z]{24,34})$
Source: Payment-Inv.exe String decryptor: ^4[0-9AB][1-9A-HJ-NP-Za-km-z]{93}$
Source: Payment-Inv.exe String decryptor: ^[LM3][a-km-zA-HJ-NP-Z1-9]{26,33}$
Source: Payment-Inv.exe String decryptor: ^G[ABCDEFGHIJKLMNOPQRSTUVWXYZ234567]{55}$
Source: Payment-Inv.exe String decryptor: \Default\Login Data
Source: Payment-Inv.exe String decryptor: \Login Data
Source: Payment-Inv.exe String decryptor: //setting[@name='Password']/value
Source: Payment-Inv.exe String decryptor: Password :
Source: Payment-Inv.exe String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: Payment-Inv.exe String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: Payment-Inv.exe String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: Payment-Inv.exe String decryptor: SMTP Email Address
Source: Payment-Inv.exe String decryptor: Password
Source: Payment-Inv.exe String decryptor: NNTP Email Address
Source: Payment-Inv.exe String decryptor: Email
Source: Payment-Inv.exe String decryptor: HTTPMail User Name
Source: Payment-Inv.exe String decryptor: HTTPMail Server
Source: Payment-Inv.exe String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: Payment-Inv.exe String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: Payment-Inv.exe String decryptor: ^3[47][0-9]{13}$
Source: Payment-Inv.exe String decryptor: ^(6541|6556)[0-9]{12}$
Source: Payment-Inv.exe String decryptor: ^389[0-9]{11}$
Source: Payment-Inv.exe String decryptor: ^3(?:0[0-5]|[68][0-9])[0-9]{11}$
Source: Payment-Inv.exe String decryptor: ^63[7-9][0-9]{13}$
Source: Payment-Inv.exe String decryptor: ^(?:2131|1800|35\\d{3})\\d{11}$
Source: Payment-Inv.exe String decryptor: ^9[0-9]{15}$
Source: Payment-Inv.exe String decryptor: ^(6304|6706|6709|6771)[0-9]{12,15}$
Source: Payment-Inv.exe String decryptor: Mastercard
Source: Payment-Inv.exe String decryptor: ^(5018|5020|5038|6304|6759|6761|6763)[0-9]{8,15}$
Source: Payment-Inv.exe String decryptor: ^(6334|6767)[0-9]{12}|(6334|6767)[0-9]{14}|(6334|6767)[0-9]{15}$
Source: Payment-Inv.exe String decryptor: Visa Card
Source: Payment-Inv.exe String decryptor: ^(4903|4905|4911|4936|6333|6759)[0-9]{12}|(4903|4905|4911|4936|6333|6759)[0-9]{14}|(4903|4905|4911|4936|6333|6759)[0-9]{15}|564182[0-9]{10}|564182[0-9]{12}|564182[0-9]{13}|633110[0-9]{10}|633110[0-9]{12}|633110[0-9]{13}$
Source: Payment-Inv.exe String decryptor: ^(62[0-9]{14,17})$
Source: Payment-Inv.exe String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$
Source: Payment-Inv.exe String decryptor: Visa Master Card
Source: Payment-Inv.exe String decryptor: \logins.json
Source: Payment-Inv.exe String decryptor: \signons.sqlite
Source: Payment-Inv.exe String decryptor: Foxmail.exe
Source: Payment-Inv.exe String decryptor: mail\
Source: Payment-Inv.exe String decryptor: \Accounts\Account.rec0
Source: Payment-Inv.exe String decryptor: \AccCfg\Accounts.tdat
Source: Payment-Inv.exe String decryptor: EnableSignature
Source: Payment-Inv.exe String decryptor: Application : FoxMail
Source: Payment-Inv.exe String decryptor: encryptedUsername
Source: Payment-Inv.exe String decryptor: logins
Source: Payment-Inv.exe String decryptor: encryptedPassword
Source: Payment-Inv.exe String decryptor: purchase.accounts@ahlada.com
Source: Payment-Inv.exe String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusing
Source: Payment-Inv.exe String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
Source: Payment-Inv.exe String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: Payment-Inv.exe String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: Payment-Inv.exe String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: Payment-Inv.exe String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: Payment-Inv.exe String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword
Source: Payment-Inv.exe String decryptor: \global-messages-db.sqlite
Source: Payment-Inv.exe String decryptor: C:\\MailMasterData
Uses 32bit PE files
Source: Payment-Inv.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: W.pdb4 source: Payment-Inv.exe, flakeboard.exe.0.dr
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.55.60.2 162.55.60.2
May check the online IP address of the machine
Source: unknown DNS query: name: showip.net
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49711 -> 162.55.60.2:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49897 -> 162.55.60.2:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49895 -> 162.55.60.2:80
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Code function: 5_2_0043D2F0 __vbaStrCopy,__vbaStrMove,__vbaFixstrConstruct,__vbaNew2,__vbaHresultCheckObj,__vbaHresultCheckObj,__vbaStrToAnsi,InternetOpenA,__vbaSetSystemError,__vbaFreeStrList,__vbaFreeStrList,__vbaFreeObj,__vbaStrToAnsi,InternetOpenUrlA,__vbaSetSystemError,__vbaStrToUnicode,__vbaFreeStr,__vbaStrToAnsi,__vbaSetSystemError,__vbaStrToUnicode,__vbaLsetFixstr,__vbaLsetFixstr,__vbaFreeStrList,__vbaStrCopy,__vbaStrToAnsi,InternetReadFile,__vbaStrToUnicode,__vbaLsetFixstr,__vbaFreeStrList,__vbaStrCopy,#631,__vbaStrMove,__vbaLsetFixstr,__vbaStrCat,__vbaStrMove,__vbaFreeStrList,__vbaSetSystemError,#598,__vbaSetSystemError,__vbaStrCopy,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr, 5_2_0043D2F0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Project1Host: showip.net
Source: global traffic DNS traffic detected: DNS query: showip.net
Source: Payment-Inv.exe, 00000000.00000003.2200529643.0000000000611000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schema.org
Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net
Source: Payment-Inv.exe, 00000000.00000003.2200585965.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2212572654.00000000005E2000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.0000000000774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net/
Source: flakeboard.exe, 00000005.00000003.2556057820.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net/%=
Source: Payment-Inv.exe, 00000000.00000003.2201400191.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201006243.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net/4b
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net/A
Source: flakeboard.exe, 00000005.00000003.2556279313.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.00000000007D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net/TZG
Source: Payment-Inv.exe, 00000000.00000003.2201400191.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201006243.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005E3000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2212572654.00000000005E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net/rc
Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.net/y
Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.netl?
Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://showip.netll/
Source: flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.maxmind.com
Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Payment-Inv.exe, 00000000.00000003.2200585965.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2557875742.0000000000815000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556031341.000000000082C000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.0000000000782000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550639562.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.000000000079C000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550675895.00000000007ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fundingchoicesmessages.google.com/i/pub-8790158038613050?ers=1
Source: Payment-Inv.exe, 00000000.00000003.2201006243.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201400191.00000000005EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://fundingchoicesmessages.google.com9x
Source: Payment-Inv.exe, 00000000.00000003.2200529643.0000000000611000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://showip.net/
Source: Payment-Inv.exe, 00000000.00000003.2200529643.0000000000611000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://showip.net/?checkip=
Source: flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://unpkg.com/leaflet
Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: Payment-Inv.exe, 00000000.00000003.2179856438.000000000059E000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2540862082.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536524012.0000000000754000.00000004.00000020.00020000.00000000.sdmp, WebData.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Payment-Inv.exe, 00000000.00000003.2200557358.00000000005FB000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201006243.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201400191.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550595347.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.000000000079C000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.00000000007AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-L6NKT5G6D7
Source: Payment-Inv.exe, 00000000.00000003.2204670949.0000000003A81000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2210229879.0000000003A81000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200489287.0000000003A51000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555942135.0000000003A58000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2555981327.0000000000802000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550563022.0000000003811000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.openstreetmap.org/copyright
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Code function: 5_2_004056C8 GetAsyncKeyState, 5_2_004056C8

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment-Inv.exe
Sample has a suspicious name (potential lure to open the executable)
Source: Payment-Inv.exe Static file information: Suspicious name
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\Desktop\Payment-Inv.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Code function: 5_2_00430480 5_2_00430480
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Code function: 5_2_004033E4 5_2_004033E4
PE file contains executable resources (Code or Archives)
Source: Payment-Inv.exe Static PE information: Resource name: CUSTOM type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Source: flakeboard.exe.0.dr Static PE information: Resource name: CUSTOM type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Sample file is different than original file name gathered from version info
Source: Payment-Inv.exe, 00000000.00000003.2311210463.0000000004F58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefirebirds.exe vs Payment-Inv.exe
Source: Payment-Inv.exe Binary or memory string: OriginalFilenamefirebirds.exe vs Payment-Inv.exe
Uses 32bit PE files
Source: Payment-Inv.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Payment-Inv.exe, flakeboard.exe.0.dr Binary or memory string: 7@pD*\AC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: flakeboard.exe, 00000005.00000002.3410722985.0000000000447000.00000004.00000001.01000000.00000008.sdmp, flakeboard.exe, 00000007.00000002.3410724729.0000000000447000.00000004.00000001.01000000.00000008.sdmp Binary or memory string: XN@*\AC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp Cm
Source: flakeboard.exe Binary or memory string: D*\AC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: classification engine Classification label: mal100.troj.spyw.winEXE@3/120@1/1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Payment-Inv.exe File created: C:\Users\user\AppData\Local\Temp\~DF34BE4CFDAFAB0A23.TMP Jump to behavior
Source: Payment-Inv.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment-Inv.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: flakeboard.exe Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: Payment-Inv.exe, 00000000.00000003.2180223297.000000000058C000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2180507135.00000000005AC000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2180107327.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2541083985.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2541248636.0000000000791000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2541413064.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536649530.0000000000763000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2536914012.0000000000740000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2537031246.0000000000761000.00000004.00000020.00020000.00000000.sdmp, LogabacusesxBGTaeIfvTUzjaQgHAWxNnWeaZsQuFodevotionality.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Payment-Inv.exe ReversingLabs: Detection: 73%
Source: Payment-Inv.exe Virustotal: Detection: 80%
Source: C:\Users\user\Desktop\Payment-Inv.exe File read: C:\Users\user\Desktop\Payment-Inv.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment-Inv.exe "C:\Users\user\Desktop\Payment-Inv.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe"
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: zipfldr.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: cdosys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: inetcomm.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: zipfldr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: cdosys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: inetcomm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: vb6zz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: zipfldr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: cdosys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: inetcomm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: W.pdb4 source: Payment-Inv.exe, flakeboard.exe.0.dr
Drops PE files
Source: C:\Users\user\Desktop\Payment-Inv.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Jump to dropped file
Source: C:\Users\user\Desktop\Payment-Inv.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce customariness Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce customariness Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce customariness Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce customariness Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Payment-Inv.exe Window / User API: foregroundWindowGot 1299 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Window / User API: foregroundWindowGot 1597 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Window / User API: foregroundWindowGot 1773 Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ctivebrokers.co.inVMware20,11696487552d
Source: flakeboard.exe, 00000005.00000003.2541479659.0000000000797000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: yctivebrokers.co.inVMware20,11696487552d
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Payment-Inv.exe, 00000000.00000003.2201006243.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2212572654.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201400191.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.0000000000774000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000003.2550699030.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Payment-Inv.exe, 00000000.00000003.2201006243.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2208230480.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2212572654.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2201400191.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Payment-Inv.exe, 00000000.00000003.2200585965.00000000005EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW;Ha
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: in ttctivebrokers.co.inVMware20,11696487552d
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Payment-Inv.exe, 00000000.00000003.2180716565.0000000000592000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: inH,Yctivebrokers.co.inVMware20,11696487552d
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.0000000000787000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556279313.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000746000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, KeyDataiUKSsPPq.txt.0.dr Binary or memory string: [05:30:49]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:27]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r4]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [5:31:00]<<Program Managerun>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:15]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:48]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:26]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, KeyDatawqJiNLOm.txt.0.dr Binary or memory string: [05:30:59]<<Program Manager>>
Source: KeyDatatWBDPZVd.txt.0.dr, KeyDataudGJeilF.txt.0.dr Binary or memory string: [05:30:37]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerpc.BMP
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:57]<<Program Manager>>xtm,
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:17]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:03]<<Program Manager>>
Source: KeyDataFUSZjHmZ.txt.0.dr, KeyDataudGJeilF.txt.0.dr Binary or memory string: [05:30:39]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manageroardada.com
Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000782000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:45]<<Program Manager>>:43]<<P
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:10]<<Program Manager>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:50]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:04]<<Program Manager>>
Source: KeyDatawkqkJSHN.txt.0.dr Binary or memory string: [05:30:47]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:25]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:58]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:06]<<Program Manager>>
Source: KeyDatayHwISEIh.txt.0.dr, KeyDatauxmCqTJs.txt.0.dr Binary or memory string: [05:30:30]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:57]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:07]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:13]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managercx.BMPa.com
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerlh.BMP
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:07]<<Program Manager>>ll
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:41]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r[05:29:44]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.00000000038B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:27]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:24]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5:30:08]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:23]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [5:31:09]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:06]<<Program Manager>>xt\
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, KeyDataFUSZjHmZ.txt.0.dr Binary or memory string: [05:30:40]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:51]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:34]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000003.2556057820.0000000000787000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managertture");
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:05]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:08]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:09]<Program Manager>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:07<<Program Managerun>>
Source: KeyDatagPlbcKPT.txt.0.dr Binary or memory string: [05:29:54]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDatasWOfgWdx.txt.0.dr Binary or memory string: [05:30:43]<<Program Manager>>
Source: KeyDataVfLQtXHS.txt.0.dr, KeyDatagPlbcKPT.txt.0.dr Binary or memory string: [05:29:55]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:10]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:07]<<Program Manager>>am
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managertture
Source: KeyDataZwACwHFD.txt.0.dr, KeyDatagPlbcKPT.txt.0.dr Binary or memory string: [05:29:53]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:12]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 5:30:49]<<Program Managerun>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:22]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:08]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:11]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:23]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003ACC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:17]<<Program Manager>>0
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manageroard Manager
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t:02]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDataQIppfjMl.txt.0.dr Binary or memory string: [05:30:42]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:59]<<Program Manager>>nager>>sc
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:34]<<Program ManagerE~1
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:57]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.0000000000787000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: }[05:31:10]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:08]<<Program Manager>>xtE
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:12]<<Program Manager>> ds
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDatawkqkJSHN.txt.0.dr, KeyDataakkZbIPL.txt.0.dr Binary or memory string: [05:30:46]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerip32131eldbqU
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {<<Program Manager>>
Source: KeyDatauxmCqTJs.txt.0.dr Binary or memory string: [05:30:29]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:00]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?w]<<Program Manager>>:43]<<P
Source: flakeboard.exe, 00000007.00000002.3413065588.00000000038B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~[05:29:44]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManageroardP
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 05:31:10]<<Program Manager>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HQ~[05:31:05]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.0000000000700000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:45]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:02]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [5:30:40]<<Program Manager>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, KeyDataISIBMHvc.txt.0.dr, KeyDatauxmCqTJs.txt.0.dr Binary or memory string: [05:30:28]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:39]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:09]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:12<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: as[05:31:11]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:12]<<Program Manager>>xtG.7
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:52]<<Program Manager>>xtaC
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, KeyDataRijzbbxq.txt.0.dr Binary or memory string: [05:31:01]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000700000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDatasWOfgWdx.txt.0.dr, KeyDataakkZbIPL.txt.0.dr Binary or memory string: [05:30:44]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:54]<<Program Manager>>1D)`#G
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003810000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.0000000000774000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:56]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: v[05:31:11]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +u[05:29:44]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: z<<Program Manager>>
Source: KeyDataudGJeilF.txt.0.dr Binary or memory string: [05:30:38]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:04]<<Program Manager>>c\"<
Source: flakeboard.exe, 00000007.00000002.3413065588.00000000038B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:12]<<Program Manager>>''ch
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:49]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:03]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:02]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:27]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:59]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:04]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.0000000000787000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:11]<<Program Manager>>@
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000003.2556377508.0000000000776000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wProgram Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:03]<<Program Manager>>0z
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:26]<<Program Manager>>
Source: KeyDataiUKSsPPq.txt.0.dr, KeyDatawkqkJSHN.txt.0.dr Binary or memory string: [05:30:48]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:11]<<Program Manager>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Iy[05:29:44]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDataPrAZkwrp.txt.0.dr, KeyDatamjmXVLtG.txt.0.dr Binary or memory string: [05:30:51]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:07]<<Program Managerun>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:40]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:12]<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managers@ahlada.com
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manageroardlada.com
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:16]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.0000000000787000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:11]<<Program Manager
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, KeyDataQIppfjMl.txt.0.dr, KeyDataFUSZjHmZ.txt.0.dr Binary or memory string: [05:30:41]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:41]<<Program Manager>>1
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:24]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:04]<<Program Manager>>5a
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:52]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003ACC000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.0000000000787000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {[05:31:10]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:10]<<Program Manager>>xt
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:35]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, KeyDataOkriMQol.txt.0.dr Binary or memory string: [05:31:05]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A50000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:28]<<Program Managerprototype.hasOwnProperty.call(y,ca)&&(a=y[ca],Array.isArray(a)&&a!=a&&(c=!0),null!=a?e[ca]=a:c=!0);if(c){for(var rb in e){y=e;break a}y=null}}y!=h&&(Ca=!0);d--}for(;0<d;d--){h=b[d-1];if(null!=h)break;var cb=!0}if(!Ca&&!cb)return b;var da;f?da=b:da=Array.prototype.slice.call(b,0,d);b=da;f&&(b.length=d);y&&b.push(y);return b};function Qa(a){return function(b){if(null==b||""==b)b=new a;else{b=JSON.parse(b);if(!Array.isArray(b))throw Error(void 0);G(b,32);b=Q(a,b)}return b}};function Ra(a){this.h=R(a)}n(Ra,T);var Sa=Qa(Ra);var U;function V(a){this.g=a}V.prototype.toString=function(){return this.g+""};var Ta={};function Ua(){return Math.floor(2147483648*Math.random()).toString(36)+Math.abs(Math.floor(2147483648*Math.random())^Date.now()).toString(36)};function Va(a,b){b=String(b);"application/xhtml+xml"===a.contentType&&(b=b.toLowerCase());return a.createElement(b)}function Wa(a){this.g=a||p.document||document}Wa.prototype.appendChild=function(a,b){a.appendChild(b)};
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:11]<<Program Manager>>1
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:06]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:42]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:07]<Program Managerun>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:50]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JC:\Users\user\AppData\Local\Adobe:29:44]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:07]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:18]<<Program Manager>>[
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManageriO.BMPa.como
Source: KeyDatahDXtWHIF.txt.0.dr, KeyDatawqJiNLOm.txt.0.dr Binary or memory string: [05:30:58]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FC:\Users\user\AppData\Local\CEF05:29:44]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:22]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:14]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManageriO.BMPa.com
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, KeyDatayHwISEIh.txt.0.dr Binary or memory string: [05:30:31]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:25]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:57]<<Program Manager>>xtA
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, KeyDataCgXmRCfR.txt.0.dr Binary or memory string: [05:30:55]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:43]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [5:31:08]<<Program Manager>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:05]<<Program Manager>>@
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerkWJUsr10#
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:54]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:08]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:09]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:33]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:44]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:54]<<Program Manager>>(
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:07]<<Program Manager>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:21]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDataMmCIdyxm.txt.0.dr, KeyDatayHwISEIh.txt.0.dr Binary or memory string: [05:30:32]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, KeyDataCgXmRCfR.txt.0.dr Binary or memory string: [05:30:56]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp, KeyDataMmCIdyxm.txt.0.dr, KeyDataQOFChUkf.txt.0.dr Binary or memory string: [05:30:34]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:20]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X^z[05:31:07]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:12]<<Program Manager>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \v[05:31:10]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:33]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.00000000038B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :44]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000074A000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:09]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:29:45]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDatamjmXVLtG.txt.0.dr Binary or memory string: [05:30:52]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:49]<<Program Manager>>ows\9
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:12]<<Program Manager>>
Source: KeyDataQOFChUkf.txt.0.dr Binary or memory string: [05:30:35]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 05:30:52]<<Program Manager>
Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cv[05:31:10]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:18]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:27]<<Program Manager56&&(d=a[e-1][c],null!=d))return d;b=c+((b>>9&1)-1);if(b<e)return a[b]}}function Ka(a,b,c,d,e){var f=L(b);if(c>=f||e){e=b;if(b&256)f=a[a.length-1];else{if(null==d)return;f=a[f+((b>>9&1)-1)]={};e|=256}f[c]=d;e&=-1025;e!==b&&I(a,e)}else a[c+((b>>9&1)-1)]=d,b&256&&(d=a[a.length-1],c in d&&delete d[c]),b&1024&&I(a,b&-1025)}
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:02]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000700000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r[05:31:11]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:04]<<Program Manager>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:11]<<Program Manager0
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003ACC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:11]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:09<<Program Manager>
Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {:10]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:06]<<Program Manager>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerkY.BMPa.com
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:08]<<Program Manager>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:09]<<Program Manager>>xtk
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: y[05:31:11]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:46]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.00000000007AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:09]<<Program Manager>
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000700000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Vp[05:30:44]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:01]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:21]<<Program Manager>>r
Source: flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :10]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:28]<<Program Manager>>I
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:00]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.00000000038B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:00]<<Program Manager>>0[
Source: flakeboard.exe, 00000005.00000002.3413227933.0000000003A7D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3413227933.0000000003A6D000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:30:19]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.000000000078F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:09]<<Program Manager>>1N
Source: KeyDatatWBDPZVd.txt.0.dr Binary or memory string: [05:30:36]<<Program Manager>>
Source: flakeboard.exe, 00000005.00000002.3411063146.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, flakeboard.exe, 00000005.00000002.3411063146.000000000075F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [05:31:10]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3413065588.0000000003834000.00000004.00000020.00020000.00000000.sdmp, KeyDatamjmXVLtG.txt.0.dr, KeyDataTHceNsVF.txt.0.dr Binary or memory string: [05:30:53]<<Program Manager>>
Source: KeyDataZwACwHFD.txt.0.dr Binary or memory string: [05:29:47]<<Program Manager>>
Source: flakeboard.exe, 00000007.00000002.3411032752.0000000000718000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Bp[05:31:11]<<Program Manager>>
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EEGWXUHVUG.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EEGWXUHVUG.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EIVQSAOTAQ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EIVQSAOTAQ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EWZCVGNOWT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EWZCVGNOWT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNKQCGFJDG.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNKQCGFJDG.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QFAPOWPAFG.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QFAPOWPAFG.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\BNAGMGSPLO.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\CZQKSDDMWR.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EEGWXUHVUG.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EEGWXUHVUG.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EIVQSAOTAQ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EIVQSAOTAQ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EWZCVGNOWT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\EWZCVGNOWT.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GAOBCVIQIJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\GJBHWQDROJ.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNKQCGFJDG.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\MNKQCGFJDG.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NVWZAPQSQL.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\NWCXBPIUYI.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PIVFAGEAAV.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\PWCCAWLGRE.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QCFWYSKMHA.pdf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QFAPOWPAFG.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QFAPOWPAFG.xlsx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.docx VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\Files\QNCYCDFIJJ.xlsx VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected DarkCloud
Source: Yara match File source: Payment-Inv.exe, type: SAMPLE
Source: Yara match File source: 5.2.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Payment-Inv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2166274087.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2521818363.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3410576325.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2441004920.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment-Inv.exe PID: 6656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: flakeboard.exe PID: 5376, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: flakeboard.exe PID: 5800, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\ Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\Electrum\ Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Payment-Inv.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\Electrum\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\Electrum\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: flakeboard.exe PID: 5376, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DarkCloud
Source: Yara match File source: Payment-Inv.exe, type: SAMPLE
Source: Yara match File source: 5.2.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Payment-Inv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.flakeboard.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.2311210463.0000000004F11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2166274087.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.2521818363.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3410576325.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3410574150.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.2441004920.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment-Inv.exe PID: 6656, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: flakeboard.exe PID: 5376, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: flakeboard.exe PID: 5800, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\flakeboard.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538475 Sample: Payment-Inv.exe Startdate: 21/10/2024 Architecture: WINDOWS Score: 100 17 showip.net 2->17 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 7 other signatures 2->27 6 flakeboard.exe 74 2->6         started        9 Payment-Inv.exe 2 133 2->9         started        13 flakeboard.exe 94 2->13         started        signatures3 process4 dnsIp5 29 Antivirus detection for dropped file 6->29 31 Multi AV Scanner detection for dropped file 6->31 33 Machine Learning detection for dropped file 6->33 19 showip.net 162.55.60.2, 49711, 49895, 49897 ACPCA United States 9->19 15 C:\Users\user\AppData\...\flakeboard.exe, PE32 9->15 dropped 35 Tries to steal Crypto Currency Wallets 9->35 37 Writes or reads registry keys via WMI 9->37 39 Tries to harvest and steal browser information (history, passwords, etc) 13->39 file6 signatures7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.55.60.2
 showip.net United States
35893 ACPCA false

Contacted Domains

Name IP Active
showip.net 162.55.60.2 true