Edit tour

Windows Analysis Report
rPaymentAdvice-PDF.exe

Overview

General Information

Sample name:	rPaymentAdvice-PDF.exe
Analysis ID:	1455406
MD5:	cc74321fe70654e82ead4093093b0116
SHA1:	68e74f568066c31b0f2b2a2837b5ce072b0857af
SHA256:	8819d137ba69b96b3f3c28cca74603e86c4ecea2c821e5332452a51258176439
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: MSBuild connects to smtp port

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected UAC Bypass using CMSTP

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rPaymentAdvice-PDF.exe (PID: 3620 cmdline: "C:\Users\user\Desktop\rPaymentAdvice-PDF.exe" MD5: CC74321FE70654E82EAD4093093B0116)

MSBuild.exe (PID: 4196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 5048 cmdline: C:\Windows\system32\WerFault.exe -u -p 3620 -s 1152 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.motek.ro", "Username": "office@motek.ro", "Password": "[_QR4eY?2cHe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.3384403596.0000000002C59000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: MSBuild.exe PID: 4196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 4196	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334d9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3354b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335d5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33667:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336d1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33743:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337d9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33869:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334d9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3354b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335d5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33667:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336d1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33743:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337d9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33869:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316d9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3174b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317d5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31867:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318d1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31943:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319d9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a69:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316d9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3174b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317d5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x31867:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318d1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31943:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319d9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a69:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334d9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3354b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335d5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33667:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336d1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33743:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337d9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x33869:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 10 entries

Sigma Signatures

Networking

Sigma detected: MSBuild connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 212.146.84.76, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 4196, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49715

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.motek.ro", "Username": "office@motek.ro", "Password": "[_QR4eY?2cHe"}

Multi AV Scanner detection for submitted file

Source: rPaymentAdvice-PDF.exe

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620, type: MEMORYSTR

Source: rPaymentAdvice-PDF.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: indoC:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbo source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0C:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: System.Core.ni.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: symbols\dll\System.pdb.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2187838193.0000024E6C387000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbll source: rPaymentAdvice-PDF.exe, 00000000.00000002.2187838193.0000024E6C387000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb?lN source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: assembly\GAC_MSC:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: System.Xml.ni.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbjc' source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\rPaymentAdvice-PDF.PDBm source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb\ source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbA source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Xml.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbp`Oq4 source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb@ source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Windows.Forms.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: mscorlib.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp, WERFFAD.tmp.dmp.6.dr
Source:	Binary string: System.Drawing.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb}#_ source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbGAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185081185.000000B9477A1000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb* source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERFFAD.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdbc source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA7B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.ni.pdbRSDS source: WERFFAD.tmp.dmp.6.dr

Source: global traffic

TCP traffic: 192.168.2.6:49715 -> 212.146.84.76:587

Source: global traffic

TCP traffic: 192.168.2.6:55813 -> 162.159.36.2:53

Source: Joe Sandbox View

ASN Name: GTSCEGTSCentralEuropeAntelGermanyCZ GTSCEGTSCentralEuropeAntelGermanyCZ

Source: global traffic

TCP traffic: 192.168.2.6:49715 -> 212.146.84.76:587

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.163
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.126.163
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: mail.motek.ro

Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.motek.ro
Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://motek.ro
Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp, rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, SKTzxzsJw.cs	.Net Code: cOd8BoX
Source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack, SKTzxzsJw.cs	.Net Code: cOd8BoX

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rPaymentAdvice-PDF.exe

Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD34684908	0_2_00007FFD34684908
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD3468ADD0	0_2_00007FFD3468ADD0
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD346831F0	0_2_00007FFD346831F0
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD3468B9F2	0_2_00007FFD3468B9F2
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD3468DB4A	0_2_00007FFD3468DB4A
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD3468E308	0_2_00007FFD3468E308
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD34691709	0_2_00007FFD34691709
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD34687007	0_2_00007FFD34687007
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD34680E65	0_2_00007FFD34680E65
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD34680EFA	0_2_00007FFD34680EFA
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD3478026B	0_2_00007FFD3478026B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_02A94A98	3_2_02A94A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_02A99B40	3_2_02A99B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_02A93E80	3_2_02A93E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_02A9CDC0	3_2_02A9CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_02A941C8	3_2_02A941C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0576DD20	3_2_0576DD20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0576BD28	3_2_0576BD28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05769AF0	3_2_05769AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05763F48	3_2_05763F48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05764FF8	3_2_05764FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_057656D8	3_2_057656D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05760040	3_2_05760040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_0576322B	3_2_0576322B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 3_2_05762AF8	3_2_05762AF8

Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3620 -s 1152

Source: rPaymentAdvice-PDF.exe

Static PE information: No import functions for PE file found

Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5522c644-5386-4d0c-b3dc-cccb0f430efa.exe4 vs rPaymentAdvice-PDF.exe
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename5522c644-5386-4d0c-b3dc-cccb0f430efa.exe4 vs rPaymentAdvice-PDF.exe
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUcorasewogitiwug: vs rPaymentAdvice-PDF.exe
Source: rPaymentAdvice-PDF.exe, 00000000.00000000.2131800063.0000024E6C202000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIluluxove: vs rPaymentAdvice-PDF.exe
Source: rPaymentAdvice-PDF.exe	Binary or memory string: OriginalFilenameIluluxove: vs rPaymentAdvice-PDF.exe

Source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: rPaymentAdvice-PDF.exe, --.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 4JJG6X.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, 8C78isHTVco.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, CqSP68Ir.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb}#_
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2189034686.0000024E6FA21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@4/5@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3620

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1f16400a-6eae-41a4-9738-e694aecad83e

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: unknown	Process created: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe "C:\Users\user\Desktop\rPaymentAdvice-PDF.exe"
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3620 -s 1152
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD34686240 push edi; retn 5F4Ch	0_2_00007FFD346862D6
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD34683DEE push es; ret	0_2_00007FFD34683DEF
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD3478026B push esp; retf 4810h	0_2_00007FFD34780312
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Code function: 0_2_00007FFD34781798 push eax; ret	0_2_00007FFD34781799

Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Memory allocated: 24E6C530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Memory allocated: 24E6DEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4BE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 2326			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 6138			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -26747778906878833s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3260	Thread sleep count: 2326 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 3260	Thread sleep count: 6138 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -99750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -99640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -99526s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -99406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -99296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -99137s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -99031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -98922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -98812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -98703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -98594s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -98140s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -98031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -97810s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -97593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -97481s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -97374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -97263s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -97152s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -97045s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -96937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -96827s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -96718s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -96609s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -96499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -96390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -96281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -96172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -96062s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -95953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -95843s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -95734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -95625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -95515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -95406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: rPaymentAdvice-PDF.exe, 00000000.00000002.2185470097.0000024E00385000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: rPaymentAdvice-PDF.exe, --.cs	Reference to suspicious API methods: LoadLibrary(_3227_A9B7_31C8(_321F_3200_3211_3215_31D3._3218_31C4_31CA_31D5_31E5_A97D_31E8_3209))
Source: rPaymentAdvice-PDF.exe, --.cs	Reference to suspicious API methods: GetProcAddress(intPtr, _3227_A9B7_31C8(_321F_3200_3211_3215_31D3._3201_3207_31C3_A9B4))
Source: rPaymentAdvice-PDF.exe, --.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.Length, 64u, out _320B_3225_31E4_31C4_3223_A9B6_D7FF_3198)
Source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, zOS.cs	Reference to suspicious API methods: _120HqGy.OpenProcess(_2pIt.DuplicateHandle, bInheritHandle: true, (uint)iVE.ProcessID)

Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43E000	Jump to behavior
Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: A50008	Jump to behavior

Source: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe	Queries volume information: C:\Users\user\Desktop\rPaymentAdvice-PDF.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: Yara match	File source: 3.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPaymentAdvice-PDF.exe.24e10c79158.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rPaymentAdvice-PDF.exe.24e1035a758.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3384403596.0000000002C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rPaymentAdvice-PDF.exe PID: 3620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 4196, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Email Collection	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	151 Virtualization/Sandbox Evasion	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	311 Process Injection	1 Credentials in Registry	151 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rPaymentAdvice-PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rPaymentAdvice-P_7067ea40173c6bca932f69650b72adac4cc52d8_897d0994_fa2abc5b-2323-451c-b16b-90c9e3ef8be0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER183.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C2.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFAD.tmp.dmp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Possible Origin

Windows Analysis Report
rPaymentAdvice-PDF.exe

Source	Detection	Scanner	Label
http://upx.sf.net	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://motek.ro	0%	Avira URL Cloud	safe
http://x1.c.lencr.org/0	0%	Avira URL Cloud	safe
http://x1.i.lencr.org/0	0%	Avira URL Cloud	safe
http://r3.o.lencr.org0	0%	Avira URL Cloud	safe
http://mail.motek.ro	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	unknown
motek.ro	212.146.84.76	true	true	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown
mail.motek.ro	unknown	unknown	true	unknown

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
https://account.dyn.com/	rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E10C79000.00000004.00000800.00020000.00000000.sdmp, rPaymentAdvice-PDF.exe, 00000000.00000002.2186188137.0000024E1028F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3382092463.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.motek.ro	MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://motek.ro	MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.i.lencr.org/0	MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.i.lencr.org/0	MSBuild.exe, 00000003.00000002.3384403596.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3383297469.0000000000F0D000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F4E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000003.00000002.3388722812.0000000005F7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1455406
Start date and time:	2024-06-11 19:46:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rPaymentAdvice-PDF.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@4/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 78% Number of executed functions: 58 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Time	Type	Description
13:47:10	API Interceptor	42x Sleep call for process: MSBuild.exe modified
13:47:13	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	zb1.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://drive.google.com/file/d/1rUX5pF_yChUfocjQZEgSZVDbnTsCbsyI/view?usp=sharing_eil_m&ts=66679781	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://workspace.cftc.gov/cedc903c-09bb-4a95-bb76-9b133af0550f/?action=reply	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	199.232.210.172
	https://mcfp.felk.cvut.cz	Get hash	malicious	Phisher	Browse	199.232.210.172
	https://info.virtualhealth.com/e3t/Ctc/GB+113/cmmfD04/VWRD9T8N6WzjN8MJTHvTlRp-W842MfZ5g9NL_N6-TN-l3qgyTW7Y8-PT6lZ3mfW56Rjx787zhFxW4_YPND6r6flrW4BlJlg1DphdCVWC28Z4PpMbRW6GGMRN2bfpFdW7hSWPP6KFbcRW4PBy7c6n3dRqN7ztR5NtV-d9W1y6F6Z799h-lN1ZbvtmQ73TLW5ShFj48-W2NPW1L2f016vN6bSW45yp6K7Xp_V9W1fy0nl6xLNR_N5n9x3txmtWFN2nZ6w9QgWwJW1rlxcq4rmPQZW2D31f_3FjFXjN7D51x8lx574V_S2G96X3V3rW3xJHsh5zkBZjW6M_Gg24KcjVwW2wm07P9jh6znVyVtyJ6VBB3ZW80wlHc6H0YX2W1stJK56XtGc2f45z9Cx04	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://www.tlyrxy.skyliexhys.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://www.tlyrxy.skyliexhys.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://deyangming.angebotfilesoffer.top/	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	199.232.210.172
	https://thetechglitch.com/	Get hash	malicious	Unknown	Browse	199.232.214.172
fp2e7a.wpc.phicdn.net	https://34.75.2o2.lol/XZXlZcys3Y0lMeE9qTWRaYisvV2ozVCtKTk9jbmZUSEdiYTZpTS9BYmpHY1I5Q3lSanAxam16TnE1Ly8zaitNeWxyTzBVQWhCS1VjcExjT0xsb284a2FQR1RLMkF3NGpiOVVvVHp4R2h6M3NmOWRIQmlQdmY2clJOcm11TXM2TDNadXUrUGxmclIwVGpyc3ViVndCME9RWXltbDl4QkZiNDVqRUhuVzNpZCs1cmNhS0s2bVk1ZWY3K0VCTG5FQzByWWJBTU53TGVvSjV2MXFBMitJQmgtLUNmdVg1bG1UOGdhbzNBaTQtLU9YTW5YNHNaYnFhVDM5V3BKaGVUZWc9PQ==?cid=2059126474	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://drive.google.com/file/d/1rUX5pF_yChUfocjQZEgSZVDbnTsCbsyI/view?usp=sharing_eil_m&ts=66679781	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	192.229.221.95
	https://workspace.cftc.gov/cedc903c-09bb-4a95-bb76-9b133af0550f/?action=reply	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://www.chanamais.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	192.229.221.95
	https://na2.docusign.net/Member/EmailStart.aspx?a=d9cc73d9-ae0f-4253-a792-b28e8e553025&acct=61cb9522-75f6-4286-9c9e-e0f21cfcb28c&er=7c01d5b5-65de-4226-821a-b71d7d0d5623&c=E,1,Js_dcjgNrYNrel1HuUzofphnyLHztW0huM_6dgU6JXOMHy6LrFNyRz9u0XbDVY5U7gRSOASLaSlWJc5pS8NIpp_k-HIIGeO2F0BtBCErZxdMks2Qmw,,&typo=1	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://mcfp.felk.cvut.cz	Get hash	malicious	Phisher	Browse	192.229.221.95
	https://info.virtualhealth.com/e3t/Ctc/GB+113/cmmfD04/VWRD9T8N6WzjN8MJTHvTlRp-W842MfZ5g9NL_N6-TN-l3qgyTW7Y8-PT6lZ3mfW56Rjx787zhFxW4_YPND6r6flrW4BlJlg1DphdCVWC28Z4PpMbRW6GGMRN2bfpFdW7hSWPP6KFbcRW4PBy7c6n3dRqN7ztR5NtV-d9W1y6F6Z799h-lN1ZbvtmQ73TLW5ShFj48-W2NPW1L2f016vN6bSW45yp6K7Xp_V9W1fy0nl6xLNR_N5n9x3txmtWFN2nZ6w9QgWwJW1rlxcq4rmPQZW2D31f_3FjFXjN7D51x8lx574V_S2G96X3V3rW3xJHsh5zkBZjW6M_Gg24KcjVwW2wm07P9jh6znVyVtyJ6VBB3ZW80wlHc6H0YX2W1stJK56XtGc2f45z9Cx04	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://rrohlo.ac-page.com/paymentconfirmation	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GTSCEGTSCentralEuropeAntelGermanyCZ	Ordine_nr.24061168372.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	pilnie wymagana wycena dlaprojektu suwalki (1).vbs	Get hash	malicious	GuLoader	Browse	109.205.90.147
	QSX0atAPpN.elf	Get hash	malicious	Mirai	Browse	91.120.152.19
	YfM6hAPQaS.elf	Get hash	malicious	Mirai	Browse	94.42.225.10
	9W8C6mXhAB.elf	Get hash	malicious	Mirai	Browse	94.42.250.26
	mpsl.elf	Get hash	malicious	Mirai	Browse	46.13.53.8
	SMLUVN#U00cd FORMUL#U00c1#U0158-pdf.pif.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	31.14.12.234
	5dzdxe7bVc.elf	Get hash	malicious	Mirai	Browse	194.213.46.247
	ZAMOWIEN.EXE.exe	Get hash	malicious	AgentTesla, DarkTortilla	Browse	185.146.87.128
	td2RgV6HyP.exe	Get hash	malicious	SystemBC	Browse	188.240.2.189

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1634753436511065
Encrypted:	false
SSDEEP:	192:JCr0ofla1Oi0VeWpRaWz3S9l/gCZFv82zuiFFZ24lO8r:O0otaSVBpRa4ifE2zuiFFY4lO8r
MD5:	AA2997089778CAEEAF45A5A0C048CD82
SHA1:	417FDBC31B73AD59B98D6BD7AB46653140FEAB6D
SHA-256:	A4C5607BF4A8E60A61D3E24CD6F75C63776D009AB4DBA6358A87AA5A8AF27D69
SHA-512:	D175AEAFB53462AF13A22234B096A070DF9E84F530A380D522ED05565BF79926CB1C2B5F57B5D4DB378F5498F7FF50EBE921DBA42F4E1CC999C7957C12068515
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.2.6.0.1.6.2.9.8.2.9.4.6.3.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.2.6.0.1.6.3.0.5.1.6.9.7.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.2.a.b.c.5.b.-.2.3.2.3.-.4.5.1.c.-.b.1.6.b.-.9.0.c.9.e.3.e.f.8.b.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.3.1.b.f.8.b.-.3.5.b.f.-.4.e.c.a.-.9.4.4.9.-.6.8.b.8.2.2.a.4.7.4.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.P.a.y.m.e.n.t.A.d.v.i.c.e.-.P.D.F...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.l.u.l.u.x.o.v.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.2.4.-.0.0.0.1.-.0.0.1.5.-.f.1.a.a.-.0.1.6.1.2.7.b.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.0.8.9.a.1.2.b.8.4.4.0.8.5.b.7.2.c.7.c.2.3.2.1.8.a.7.0.e.a.d.6.0.0.0.0.0.0.0.0.!.0.0.0.0.6.8.e.7.4.f.5.6.8.0.6.6.c.3.1.b.0.f.2.b.2.a.2.8.3.7.b.5.c.e.0.7.2.b.0.8.5.7.a.f.!.r.P.a.y.m.e.

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.745052609995144
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	rPaymentAdvice-PDF.exe
File size:	2'613'780 bytes
MD5:	cc74321fe70654e82ead4093093b0116
SHA1:	68e74f568066c31b0f2b2a2837b5ce072b0857af
SHA256:	8819d137ba69b96b3f3c28cca74603e86c4ecea2c821e5332452a51258176439
SHA512:	e02dc05c21788129ee7509daf307b48632fb76d72ad0c01bd5bae78962a0e3c5b3e78052ca6db9a5f5d31d7b3e3ccbc77385a28a62b208385158a5852d897214
SSDEEP:	12288:KP6pSfs5iMrbVM48GaHeRlPKlBEM9JVmkGkJ+yXiR0kVOmPiBR6y:KSIfspZRaHUlCR9JVYci05m6BR6y
TLSH:	C2C51155B263AE4BFC9A4275D4E034F109FD6D2331FAA25FEF821CA691927FC02446B1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....JO..........."...0.]................ ....@...... ....................................`................................

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x864F4AF4 [Tue May 28 08:44:36 2041 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash: