Loading ...

Play interactive tourEdit tour

Analysis Report USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE

Overview

General Information

Sample Name:USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
Analysis ID:321120
MD5:5d3d23738b2b4bb1f7fe3371ea7ecc76
SHA1:4e72608c340c7b18f4ff359552da57c9dee29e99
SHA256:21b054a3b319b950887eff329ebb237a5d442e6742e94d66d2ff17cd85f8d930
Tags:EXEHSBCModiLoader

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • Owdpdrv.exe (PID: 6760 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe' MD5: 5D3D23738B2B4BB1F7FE3371EA7ECC76)
    • Owdpdrv.exe (PID: 4800 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe MD5: 5D3D23738B2B4BB1F7FE3371EA7ECC76)
  • Owdpdrv.exe (PID: 6872 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe' MD5: 5D3D23738B2B4BB1F7FE3371EA7ECC76)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "PQTF8kmaji", "URL: ": "http://WuQXJFerpNu.net", "To: ": "Crystal@suncurepelletmill.com", "ByHost: ": "mail.suncurepelletmill.com:587", "Password: ": "Y4nU5SbKWMVNWw", "From: ": "Crystal@suncurepelletmill.com"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\pdwO.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x9b:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\pdwO.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\pdwO.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x70:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.932033702.00000000021F4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000003.767263953.00000000004C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.935842915.0000000004F00000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.935435728.0000000003471000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.783743346.0000000002C67000.00000020.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
          • 0xde8:$file: URL=
          • 0xdcc:$url_explicit: [InternetShortcut]
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.2.Owdpdrv.exe.4f00000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.4ec0000.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2400000.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  11.2.Owdpdrv.exe.4f00000.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 3 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.4460.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "PQTF8kmaji", "URL: ": "http://WuQXJFerpNu.net", "To: ": "Crystal@suncurepelletmill.com", "ByHost: ": "mail.suncurepelletmill.com:587", "Password: ": "Y4nU5SbKWMVNWw", "From: ": "Crystal@suncurepelletmill.com"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeReversingLabs: Detection: 16%
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEVirustotal: Detection: 26%Perma Link
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEReversingLabs: Detection: 16%
                    Source: 5.2.Owdpdrv.exe.2c50000.6.unpackAvira: Label: TR/Hijacker.Gen
                    Source: 1.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2df0000.5.unpackAvira: Label: TR/Hijacker.Gen
                    Source: 1.2.USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE.2e90000.6.unpackAvira: Label: TR/Dropper.Gen
                    Source: 5.2.Owdpdrv.exe.2cf0000.7.unpackAvira: Label: TR/Dropper.Gen

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49769 -> 192.186.237.168:587
                    Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
                    Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
                    Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
                    Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: unknownDNS traffic detected: queries for: discord.com
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934877979.00000000027C3000.00000004.00000001.sdmp, USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000003.899170983.0000000005111000.00000004.00000001.sdmp, USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934934311.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://WuQXJFerpNu.net
                    Source: Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: http://hHeaxI.com
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934905842.00000000027C9000.00000004.00000001.sdmpString found in binary or memory: http://mail.suncurepelletmill.com
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.934905842.00000000027C9000.00000004.00000001.sdmpString found in binary or memory: http://suncurepelletmill.com
                    Source: Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.disc8
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discorda
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.c
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696849625.0000000002600000.00000004.00000001.sdmp, Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/a
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attac0
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachmen
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/7
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/77848
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/7784816176054
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/77848161760549277$
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/77
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/779193
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/7791933544
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/77919335445784
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/779193354457841664
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/779193354457841664/OwdH
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/778481617605492770/779193354457841664/Owdprrr
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/7784816178
                    Source: Owdpdrv.exe, 00000005.00000002.784138611.0000000004050000.00000004.00000001.sdmpString found in binary or memory: https://discord.com/
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.934476385.0000000002607000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: Yara matchFile source: Process Memory Space: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE PID: 3912, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Owdpdrv.exe PID: 6760, type: MEMORY

                    System Summary:

                    barindex
                    Initial sample is a PE file and has a suspicious nameShow sources
                    Source: initial sampleStatic PE information: Filename: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00408C602_2_00408C60
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0040DC112_2_0040DC11
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00407C3F2_2_00407C3F
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00418CCC2_2_00418CCC
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00406CA02_2_00406CA0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004028B02_2_004028B0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0041A4BE2_2_0041A4BE
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004182442_2_00418244
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004016502_2_00401650
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00402F202_2_00402F20
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004193C42_2_004193C4
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004187882_2_00418788
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00402F892_2_00402F89
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00402B902_2_00402B90
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004073A02_2_004073A0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004800402_2_00480040
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0048A4D82_2_0048A4D8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0048CCF82_2_0048CCF8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004895F82_2_004895F8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00480D912_2_00480D91
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004870482_2_00487048
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004930482_2_00493048
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0049BC782_2_0049BC78
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0049D9882_2_0049D988
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00498E002_2_00498E00
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0049F2202_2_0049F220
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004933112_2_00493311
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00499CE82_2_00499CE8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0049AD802_2_0049AD80
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_008148242_2_00814824
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_008130282_2_00813028
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_008184782_2_00818478
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_008115602_2_00811560
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0081A8C82_2_0081A8C8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00812FC82_2_00812FC8
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0081DF122_2_0081DF12
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0086B2782_2_0086B278
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00408C6011_2_00408C60
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0040DC1111_2_0040DC11
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00407C3F11_2_00407C3F
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00418CCC11_2_00418CCC
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00406CA011_2_00406CA0
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_004028B011_2_004028B0
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0041A4BE11_2_0041A4BE
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0041824411_2_00418244
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0040165011_2_00401650
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00402F2011_2_00402F20
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_004193C411_2_004193C4
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0041878811_2_00418788
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00402F8911_2_00402F89
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00402B9011_2_00402B90
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_004073A011_2_004073A0
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_02170C5611_2_02170C56
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_02170C6011_2_02170C60
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_04F7004011_2_04F70040
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_04F7001F11_2_04F7001F
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_04F7928311_2_04F79283
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_05A62FA011_2_05A62FA0
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_05A64EB011_2_05A64EB0
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_05A6238811_2_05A62388
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_05A626D011_2_05A626D0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: String function: 0040E1D8 appears 43 times
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: String function: 0040E1D8 appears 44 times
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEStatic PE information: invalid certificate
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: Owdpdrv.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696671406.00000000023F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.698043220.000000007F470000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameygwxuBNDsCnleMFrPILFrkECdmuYRRQwMZPAraQ.exe4 vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.697939174.00000000046E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.696682355.0000000002410000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000001.00000002.697299189.0000000002AA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.927294895.000000000045A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameygwxuBNDsCnleMFrPILFrkECdmuYRRQwMZPAraQ.exe4 vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000003.698959513.0000000000708000.00000004.00000001.sdmpBinary or memory string: OriginalFilename_.dll4 vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.930286972.00000000007F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.938935829.0000000005610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.938230564.0000000004F30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.933886627.0000000002471000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.938190674.0000000004F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.927026885.0000000000198000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000002.939208870.0000000005920000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXESection loaded: mscorjit.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeSection loaded: mscorjit.dllJump to behavior
                    Source: 00000005.00000002.783743346.0000000002C67000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: 00000005.00000002.783743346.0000000002C67000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                    Source: 00000001.00000002.697786352.0000000002E07000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: 00000001.00000002.697786352.0000000002E07000.00000020.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                    Source: C:\Users\user\AppData\Local\pdwO.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: C:\Users\user\AppData\Local\pdwO.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                    Source: C:\Users\user\AppData\Local\pdwO.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@8/6
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,2_2_004019F0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,2_2_004019F0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUUJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCommand line argument: 08A11_2_00413780
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXESection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEVirustotal: Detection: 26%
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEReversingLabs: Detection: 16%
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile read: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE 'C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE'
                    Source: unknownProcess created: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess created: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEStatic file information: File size 1346928 > 1048576
                    Source: Binary string: _.pdb source: USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE, 00000002.00000003.698959513.0000000000708000.00000004.00000001.sdmp, Owdpdrv.exe, 0000000B.00000002.932033702.00000000021F4000.00000004.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    Detected unpacking (changes PE section rights)Show sources
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeUnpacked PE file: 11.2.Owdpdrv.exe.400000.0.unpack .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Detected unpacking (overwrites its own PE header)Show sources
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeUnpacked PE file: 11.2.Owdpdrv.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,2_2_004019F0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0041C40C push cs; iretd 2_2_0041C4E2
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00423149 push eax; ret 2_2_00423179
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0041C50E push cs; iretd 2_2_0041C4E2
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004231C8 push eax; ret 2_2_00423179
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0040E21D push ecx; ret 2_2_0040E230
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_0041C6BE push ebx; ret 2_2_0041C6BF
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_00485E8F push edi; retn 0000h2_2_00485E91
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0041C40C push cs; iretd 11_2_0041C4E2
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_00423149 push eax; ret 11_2_00423179
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0041C50E push cs; iretd 11_2_0041C4E2
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_004231C8 push eax; ret 11_2_00423179
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0040E21D push ecx; ret 11_2_0040E230
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_0041C6BE push ebx; ret 11_2_0041C6BF
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeCode function: 11_2_04F765C3 push eax; ret 11_2_04F765CD
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeJump to dropped file
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OwdpJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OwdpJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXERegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXECode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,2_2_004019F0
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEWindow / User API: threadDelayed 597Jump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exeWindow / User API: threadDelayed 471Jump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7084Thread sleep count: 263 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7084Thread sleep count: 597 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -59406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -52094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -38094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -58312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -57406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -56312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -55406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -55000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -54812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -54094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -53906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -53000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -52812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -52594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -51906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -51500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXE TID: 7068Thread sleep time: -51312s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 6756Thread sleep count: 471 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -58500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -57594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -56500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -55188s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -55000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -53688s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -53000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -52594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -51500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -50594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -49500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -48594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -47094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -44000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -43594s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -43188s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -42688s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -42500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -42094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -41188s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -41000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -40500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -40094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -39688s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.exe TID: 7048Thread sleep time: -39188s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Owdpdrv.ex