Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B34696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00B34696 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_00B3C9C7 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3C93C FindFirstFileW,FindClose, |
0_2_00B3C93C |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00B3F200 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00B3F35D |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00B3F65E |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B33A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00B33A2B |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B33D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00B33D4E |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00B3BF27 |
Source: RegSvcs.exe, 00000002.00000002.3389464276.00000000032F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: RegSvcs.exe, 00000002.00000002.3389464276.0000000003367000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://smtp.italiacanda-it.com |
Source: RegSvcs.exe, 00000002.00000002.3389464276.0000000003367000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://us2.smtp.mailhostbox.com |
Source: Payment.exe, 00000000.00000002.2157047386.0000000002150000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3388297817.0000000000402000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://account.dyn.com/ |
Source: Payment.exe, 00000000.00000002.2157047386.0000000002150000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3388297817.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3389464276.00000000032F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org |
Source: RegSvcs.exe, 00000002.00000002.3389464276.00000000032F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/ |
Source: RegSvcs.exe, 00000002.00000002.3389464276.00000000032F1000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://api.ipify.org/t |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B4425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, |
0_2_00B4425A |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B4425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, |
0_2_00B4425A |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B5CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, |
0_2_00B5CDAC |
Source: 0.2.Payment.exe.2150000.1.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 0.2.Payment.exe.2150000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: 00000000.00000002.2157047386.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: This is a third-party compiled AutoIt script. |
0_2_00AD3B4C |
Source: Payment.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
|
Source: Payment.exe, 00000000.00000002.2156025250.0000000000B85000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_df352232-5 |
Source: Payment.exe, 00000000.00000002.2156025250.0000000000B85000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_f4793a40-7 |
Source: Payment.exe |
String found in binary or memory: This is a third-party compiled AutoIt script. |
memstr_cf9b2c80-1 |
Source: Payment.exe |
String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer |
memstr_2ba005b0-8 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B28858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, |
0_2_00B28858 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00ADE800 |
0_2_00ADE800 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AFDBB5 |
0_2_00AFDBB5 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00ADE060 |
0_2_00ADE060 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B5804A |
0_2_00B5804A |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AE4140 |
0_2_00AE4140 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AF2405 |
0_2_00AF2405 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B06522 |
0_2_00B06522 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B0267E |
0_2_00B0267E |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B50665 |
0_2_00B50665 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AF283A |
0_2_00AF283A |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AE6843 |
0_2_00AE6843 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B089DF |
0_2_00B089DF |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B06A94 |
0_2_00B06A94 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B50AE2 |
0_2_00B50AE2 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AE8A0E |
0_2_00AE8A0E |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B38B13 |
0_2_00B38B13 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B2EB07 |
0_2_00B2EB07 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AFCD61 |
0_2_00AFCD61 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B07006 |
0_2_00B07006 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AE3190 |
0_2_00AE3190 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AE710E |
0_2_00AE710E |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AD1287 |
0_2_00AD1287 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AF33C7 |
0_2_00AF33C7 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AFF419 |
0_2_00AFF419 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AE5680 |
0_2_00AE5680 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AF16C4 |
0_2_00AF16C4 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AE58C0 |
0_2_00AE58C0 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AF78D3 |
0_2_00AF78D3 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AF1BB8 |
0_2_00AF1BB8 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B09D05 |
0_2_00B09D05 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00ADFE40 |
0_2_00ADFE40 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AFBFE6 |
0_2_00AFBFE6 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AF1FD0 |
0_2_00AF1FD0 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_02143660 |
0_2_02143660 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_017EE1C1 |
2_2_017EE1C1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_017EA950 |
2_2_017EA950 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_017E4A98 |
2_2_017E4A98 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_017E3E80 |
2_2_017E3E80 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_017E41C8 |
2_2_017E41C8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C0A198 |
2_2_06C0A198 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C0B9F0 |
2_2_06C0B9F0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C165E8 |
2_2_06C165E8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C155A8 |
2_2_06C155A8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C1B220 |
2_2_06C1B220 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C13060 |
2_2_06C13060 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C1C170 |
2_2_06C1C170 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C17D78 |
2_2_06C17D78 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C17698 |
2_2_06C17698 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C1E388 |
2_2_06C1E388 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C1034B |
2_2_06C1034B |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C10007 |
2_2_06C10007 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Code function: 2_2_06C15CDB |
2_2_06C15CDB |
Source: Payment.exe, 00000000.00000003.2149304388.0000000003EC3000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Payment.exe |
Source: Payment.exe, 00000000.00000002.2157047386.0000000002150000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamed1d0086e-f958-473c-b56d-1a9de9dc0359.exe4 vs Payment.exe |
Source: Payment.exe, 00000000.00000003.2155034288.00000000040AD000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamentdll.dllj% vs Payment.exe |
Source: 0.2.Payment.exe.2150000.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.Payment.exe.2150000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 00000000.00000002.2157047386.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers |
Source: 0.2.Payment.exe.2150000.1.raw.unpack, c2bZQnG.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Payment.exe.2150000.1.raw.unpack, c2bZQnG.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 0.2.Payment.exe.2150000.1.raw.unpack, Q1L0K.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Payment.exe.2150000.1.raw.unpack, Q1L0K.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Payment.exe.2150000.1.raw.unpack, uo1UBaEHa.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Payment.exe.2150000.1.raw.unpack, uo1UBaEHa.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Payment.exe.2150000.1.raw.unpack, uo1UBaEHa.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Payment.exe.2150000.1.raw.unpack, uo1UBaEHa.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: Payment.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Payment.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Payment.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Payment.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Payment.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Payment.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AD4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_00AD4A35 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B555FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, |
0_2_00B555FD |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AF33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, |
0_2_00AF33C7 |
Source: C:\Users\user\Desktop\Payment.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B34696 GetFileAttributesW,FindFirstFileW,FindClose, |
0_2_00B34696 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, |
0_2_00B3C9C7 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3C93C FindFirstFileW,FindClose, |
0_2_00B3C93C |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00B3F200 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, |
0_2_00B3F35D |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00B3F65E |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B33A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00B33A2B |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B33D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, |
0_2_00B33D4E |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B3BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, |
0_2_00B3BF27 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 100000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99875 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99765 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99656 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99542 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99437 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99328 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99212 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99109 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 99000 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98890 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98781 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98671 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98562 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98453 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98343 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98231 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98125 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 98015 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97906 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97796 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97687 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97577 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97468 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97359 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97250 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97140 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 97031 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96921 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96799 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96672 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96562 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96451 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96343 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96234 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96120 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 96015 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 95906 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 95796 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B05CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, |
0_2_00B05CCC |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, |
0_2_00B281F7 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00AD4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, |
0_2_00AD4A35 |
Source: C:\Users\user\Desktop\Payment.exe |
Code function: 0_2_00B281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, |
0_2_00B281F7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: 0.2.Payment.exe.2150000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Payment.exe.2150000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2157047386.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3388297817.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3389464276.0000000003367000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3389464276.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Payment.exe PID: 3924, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 5648, type: MEMORYSTR |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini |
Jump to behavior |
Source: Payment.exe |
Binary or memory string: WIN_81 |
Source: Payment.exe |
Binary or memory string: WIN_XP |
Source: Payment.exe |
Binary or memory string: WIN_XPe |
Source: Payment.exe |
Binary or memory string: WIN_VISTA |
Source: Payment.exe |
Binary or memory string: WIN_7 |
Source: Payment.exe |
Binary or memory string: WIN_8 |
Source: Payment.exe |
Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte |
Source: Yara match |
File source: 0.2.Payment.exe.2150000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Payment.exe.2150000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2157047386.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3388297817.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3389464276.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Payment.exe PID: 3924, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 5648, type: MEMORYSTR |
Source: Yara match |
File source: dump.pcap, type: PCAP |
Source: Yara match |
File source: 0.2.Payment.exe.2150000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Payment.exe.2150000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2157047386.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3388297817.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3389464276.0000000003367000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.3389464276.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Payment.exe PID: 3924, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: RegSvcs.exe PID: 5648, type: MEMORYSTR |