Analysis Report Payment_Advice_pdf.exe

Overview

General Information

Sample Name:	Payment_Advice_pdf.exe
Analysis ID:	324331
MD5:	536cf4ed17eba1bf41ef70faaa2054a4
SHA1:	72e062dd7a10d8b9e66732d5037c5156a9741d30
SHA256:	c8ad1b5688fbbc359ee4256d3c7fbca2d09bdd4968000dc8ffb86bb9964ac213
Tags:	Agentteslaexe
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Connects to a pastebin service (likely for C&C)

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Drops PE files to the startup folder

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Metadefender: Detection: 18%			Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	ReversingLabs: Detection: 48%

Multi AV Scanner detection for submitted file

Source: Payment_Advice_pdf.exe	Virustotal: Detection: 39%	Perma Link
Source: Payment_Advice_pdf.exe	Metadefender: Detection: 18%	Perma Link
Source: Payment_Advice_pdf.exe	ReversingLabs: Detection: 48%

Antivirus or Machine Learning detection for unpacked file

Source: 22.2.Payment_Advice_pdf.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Networking:

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: pastebin.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 172.67.143.180 172.67.143.180

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS traffic detected: queries for: hastebin.com

Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 0000000D.00000002.517611780.0000000000A88000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omn
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/Cloudfl
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: http://oTJwpq.com
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digp
Source: powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngTG
Source: powershell.exe, 0000000D.00000002.535392577.000000000498D000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000D.00000002.532936323.0000000004761000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.532691170.0000000004A81000.00000004.00000001.sdmp, powershell.exe, 00000010.00000002.585877442.0000000004761000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.535729267.0000000004B51000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.535392577.000000000498D000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlTG
Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Payment_Advice_pdf.exe, 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/PesterTG
Source: Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/asixarufey
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/caqubavere
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/foqosepayu
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/fufufevuxa
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/noqadobanu
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/onikuyajar
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/oqigugirew
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/saconikone
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/userirulod
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/walodekari
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/yafimefexo
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/yimijojino
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/zegivutiko
Source: Payment_Advice_pdf.exe, 0000001B.00000002.536730759.0000000002A8C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.537590651.00000000036B9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.533702642.00000000030C3000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.comD8
Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.536730759.0000000002A8C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.537590651.00000000036B9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.533702642.00000000030C3000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.533400666.00000000030AC000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.co
Source: Payment_Advice_pdf.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: Payment_Advice_pdf.exe, 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Payment_Advice_pdf.exe, 00000020.00000002.522672763.000000000122B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large strings

Source: Payment_Advice_pdf.exe, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040
Source: Payment_Advice_pdf.exe.0.dr, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040
Source: 0.0.Payment_Advice_pdf.exe.a20000.0.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040
Source: 22.0.Payment_Advice_pdf.exe.840000.0.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040
Source: 22.2.Payment_Advice_pdf.exe.840000.1.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040
Source: 23.2.Payment_Advice_pdf.exe.db0000.0.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Payment_Advice_pdf.exe
Source: initial sample	Static PE information: Filename: Payment_Advice_pdf.exe

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0080EDA8	13_2_0080EDA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0080A570	13_2_0080A570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0081A0C0	13_2_0081A0C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0081F890	13_2_0081F890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0081E028	13_2_0081E028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0081BCF8	13_2_0081BCF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00DE1088	15_2_00DE1088
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00DEF528	15_2_00DEF528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_01196848	15_2_01196848
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_01197CE0	15_2_01197CE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0487C9B0	15_2_0487C9B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0487EA10	15_2_0487EA10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00386ED0	16_2_00386ED0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00387F60	16_2_00387F60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00398458	16_2_00398458
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00390040	16_2_00390040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_0039B448	16_2_0039B448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00391870	16_2_00391870
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00396E70	16_2_00396E70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_006E7F38	16_2_006E7F38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_006EAFD0	16_2_006EAFD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0102B150	19_2_0102B150
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_010284B8	19_2_010284B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_01066F88	19_2_01066F88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_01068010	19_2_01068010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_010643C0	19_2_010643C0
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 22_2_012B46A0	22_2_012B46A0
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 22_2_012B4630	22_2_012B4630
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 22_2_012B4690	22_2_012B4690
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 23_2_014C0468	23_2_014C0468
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 23_2_014C0457	23_2_014C0457
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 25_2_01850468	25_2_01850468
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 25_2_01850457	25_2_01850457
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 27_2_00B80468	27_2_00B80468
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 27_2_00B80457	27_2_00B80457
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 28_2_01660468	28_2_01660468
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 28_2_01660457	28_2_01660457
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Code function: 32_2_014B0468	32_2_014B0468
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Code function: 32_2_014B0457	32_2_014B0457

PE / OLE file has an invalid certificate

Source: Payment_Advice_pdf.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: Payment_Advice_pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment_Advice_pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment_Advice_pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment_Advice_pdf.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment_Advice_pdf.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment_Advice_pdf.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Payment_Advice_pdf.exe, 00000000.00000003.316353924.0000000005E67000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000016.00000000.333815367.0000000000842000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000017.00000002.357200362.00000000015FA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000017.00000000.343447880.0000000000DB2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000019.00000002.509305247.0000000000E52000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000019.00000002.521307297.000000000161A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 0000001B.00000002.524460175.0000000000BA9000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 0000001B.00000002.509293707.0000000000372000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 0000001C.00000002.509221914.0000000000E62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000020.00000002.508979983.0000000000BB2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@26/15@13/2

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\642ea71a-359c-4338-a04f-1ead15fc1a7a

Jump to behavior

Source: Payment_Advice_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Payment_Advice_pdf.exe	Virustotal: Detection: 39%
Source: Payment_Advice_pdf.exe	Metadefender: Detection: 18%
Source: Payment_Advice_pdf.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File read: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe
Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment_Advice_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment_Advice_pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:

Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbs source: powershell.exe, 0000000D.00000002.517611780.0000000000A88000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_008131C0 push ebx; ret	13_2_008131CE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00815AF8 push eax; mov dword ptr [esp], edx	13_2_00815B0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00818DC0 push es; ret	13_2_00818DD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00815EB0 push eax; mov dword ptr [esp], edx	13_2_00815EB4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00818FE1 push eax; mov dword ptr [esp], ecx	13_2_00818FF4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00DE0690 push es; ret	15_2_00DE06A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00DE0A81 push es; ret	15_2_00DE0A90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0119C891 push 3800B793h; retf	15_2_0119C89D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0119D241 push eax; retf	15_2_0119D24D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0487D5A0 push es; ret	15_2_0487D5B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00385D51 push eax; mov dword ptr [esp], edx	16_2_00385D64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00392160 push eax; mov dword ptr [esp], edx	16_2_00392174
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00396260 push es; ret	16_2_00396270
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00396450 push eax; mov dword ptr [esp], edx	16_2_00396464
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_003978D0 push es; ret	16_2_003978E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00399A98 push 0000C36Dh; ret	16_2_00399C3A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_006ED027 push esp; retf	16_2_006ED035
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00BB0810 pushad ; retf	19_2_00BB0811
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00BB0C30 push eax; mov dword ptr [esp], edx	19_2_00BB0C44
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0106A2D1 push FF580101h; retf	19_2_0106A2D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_01064E38 push FFFFFF8Bh; retf	19_2_01064E23

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shell

Jump to behavior

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>			Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exe			Jump to behavior

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe			Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 374	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 612	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Window / User API: threadDelayed 2280

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 6212	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 4696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348	Thread sleep count: 236 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep count: 331 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5928	Thread sleep count: 286 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6328	Thread sleep count: 88 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4568	Thread sleep count: 220 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 644	Thread sleep count: 115 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1112	Thread sleep count: 62 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 360	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 6816	Thread sleep count: 95 > 30
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 6816	Thread sleep count: 2280 > 30

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Payment_Advice_pdf.exe, 00000000.00000003.308077244.0000000001196000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Payment_Advice_pdf.exe, 0000001B.00000002.525708728.0000000000BF9000.00000004.00000020.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.524461670.0000000001281000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 0000000D.00000002.534697532.00000000048A2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.587753653.0000000004F55000.00000004.00000001.sdmp, powershell.exe, 00000010.00000002.614459908.00000000048A3000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Memory written: C:\Users\user\Desktop\Payment_Advice_pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe	Jump to behavior

Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe VolumeInformation

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Advice_pdf.exe PID: 6728, type: MEMORY
Source: Yara match	File source: 22.2.Payment_Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Advice_pdf.exe PID: 6728, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Advice_pdf.exe PID: 6728, type: MEMORY
Source: Yara match	File source: 22.2.Payment_Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.23.98.190	unknown	United States		13335	CLOUDFLARENETUS	false
172.67.143.180	unknown	United States		13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
hastebin.com	172.67.143.180	true
pastebin.com	104.23.98.190	true
g.msn.com	unknown	unknown

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Metadefender: Detection: 18%			Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	ReversingLabs: Detection: 48%

Multi AV Scanner detection for submitted file

Source: Payment_Advice_pdf.exe	Virustotal: Detection: 39%	Perma Link
Source: Payment_Advice_pdf.exe	Metadefender: Detection: 18%	Perma Link
Source: Payment_Advice_pdf.exe	ReversingLabs: Detection: 48%

Antivirus or Machine Learning detection for unpacked file

Source: 22.2.Payment_Advice_pdf.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Networking:

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: hastebin.com
Source: unknown	DNS query: name: pastebin.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 104.23.98.190 104.23.98.190
Source: Joe Sandbox View	IP Address: 172.67.143.180 172.67.143.180

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

DNS traffic detected: queries for: hastebin.com

Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 0000000D.00000002.517611780.0000000000A88000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omn
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/Cloudfl
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: http://oTJwpq.com
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Payment_Advice_pdf.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digp
Source: powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngTG
Source: powershell.exe, 0000000D.00000002.535392577.000000000498D000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 0000000D.00000002.532936323.0000000004761000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.532691170.0000000004A81000.00000004.00000001.sdmp, powershell.exe, 00000010.00000002.585877442.0000000004761000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.535729267.0000000004B51000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.535392577.000000000498D000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlTG
Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: Payment_Advice_pdf.exe, 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/PesterTG
Source: Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/asixarufey
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/caqubavere
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/foqosepayu
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/fufufevuxa
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/noqadobanu
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/onikuyajar
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/oqigugirew
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/saconikone
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/userirulod
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/walodekari
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/yafimefexo
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/yimijojino
Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.com/raw/zegivutiko
Source: Payment_Advice_pdf.exe, 0000001B.00000002.536730759.0000000002A8C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.537590651.00000000036B9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.533702642.00000000030C3000.00000004.00000001.sdmp	String found in binary or memory: https://hastebin.comD8
Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.536730759.0000000002A8C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.537590651.00000000036B9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.533702642.00000000030C3000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.533400666.00000000030AC000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp	String found in binary or memory: https://www.digicert.co
Source: Payment_Advice_pdf.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: Payment_Advice_pdf.exe, 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Payment_Advice_pdf.exe, 00000020.00000002.522672763.000000000122B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large strings

Source: Payment_Advice_pdf.exe, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040
Source: Payment_Advice_pdf.exe.0.dr, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040
Source: 0.0.Payment_Advice_pdf.exe.a20000.0.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040
Source: 22.0.Payment_Advice_pdf.exe.840000.0.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040
Source: 22.2.Payment_Advice_pdf.exe.840000.1.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040
Source: 23.2.Payment_Advice_pdf.exe.db0000.0.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.cs	Long String: Length: 75040

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Payment_Advice_pdf.exe
Source: initial sample	Static PE information: Filename: Payment_Advice_pdf.exe

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0080EDA8	13_2_0080EDA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0080A570	13_2_0080A570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0081A0C0	13_2_0081A0C0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0081F890	13_2_0081F890
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0081E028	13_2_0081E028
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_0081BCF8	13_2_0081BCF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00DE1088	15_2_00DE1088
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00DEF528	15_2_00DEF528
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_01196848	15_2_01196848
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_01197CE0	15_2_01197CE0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0487C9B0	15_2_0487C9B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0487EA10	15_2_0487EA10
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00386ED0	16_2_00386ED0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00387F60	16_2_00387F60
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00398458	16_2_00398458
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00390040	16_2_00390040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_0039B448	16_2_0039B448
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00391870	16_2_00391870
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00396E70	16_2_00396E70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_006E7F38	16_2_006E7F38
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_006EAFD0	16_2_006EAFD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0102B150	19_2_0102B150
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_010284B8	19_2_010284B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_01066F88	19_2_01066F88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_01068010	19_2_01068010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_010643C0	19_2_010643C0
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 22_2_012B46A0	22_2_012B46A0
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 22_2_012B4630	22_2_012B4630
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 22_2_012B4690	22_2_012B4690
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 23_2_014C0468	23_2_014C0468
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 23_2_014C0457	23_2_014C0457
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 25_2_01850468	25_2_01850468
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 25_2_01850457	25_2_01850457
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 27_2_00B80468	27_2_00B80468
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 27_2_00B80457	27_2_00B80457
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 28_2_01660468	28_2_01660468
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Code function: 28_2_01660457	28_2_01660457
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Code function: 32_2_014B0468	32_2_014B0468
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Code function: 32_2_014B0457	32_2_014B0457

PE / OLE file has an invalid certificate

Source: Payment_Advice_pdf.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: Payment_Advice_pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment_Advice_pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment_Advice_pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment_Advice_pdf.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment_Advice_pdf.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Payment_Advice_pdf.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Payment_Advice_pdf.exe, 00000000.00000003.316353924.0000000005E67000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000016.00000000.333815367.0000000000842000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000017.00000002.357200362.00000000015FA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000017.00000000.343447880.0000000000DB2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000019.00000002.509305247.0000000000E52000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000019.00000002.521307297.000000000161A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 0000001B.00000002.524460175.0000000000BA9000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 0000001B.00000002.509293707.0000000000372000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 0000001C.00000002.509221914.0000000000E62000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe, 00000020.00000002.508979983.0000000000BB2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
Source: Payment_Advice_pdf.exe	Binary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@26/15@13/2

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\642ea71a-359c-4338-a04f-1ead15fc1a7a

Jump to behavior

Source: Payment_Advice_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Payment_Advice_pdf.exe	Virustotal: Detection: 39%
Source: Payment_Advice_pdf.exe	Metadefender: Detection: 18%
Source: Payment_Advice_pdf.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File read: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe
Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment_Advice_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment_Advice_pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:

Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbs source: powershell.exe, 0000000D.00000002.517611780.0000000000A88000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_008131C0 push ebx; ret	13_2_008131CE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00815AF8 push eax; mov dword ptr [esp], edx	13_2_00815B0C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00818DC0 push es; ret	13_2_00818DD0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00815EB0 push eax; mov dword ptr [esp], edx	13_2_00815EB4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 13_2_00818FE1 push eax; mov dword ptr [esp], ecx	13_2_00818FF4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00DE0690 push es; ret	15_2_00DE06A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_00DE0A81 push es; ret	15_2_00DE0A90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0119C891 push 3800B793h; retf	15_2_0119C89D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0119D241 push eax; retf	15_2_0119D24D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 15_2_0487D5A0 push es; ret	15_2_0487D5B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00385D51 push eax; mov dword ptr [esp], edx	16_2_00385D64
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00392160 push eax; mov dword ptr [esp], edx	16_2_00392174
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00396260 push es; ret	16_2_00396270
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00396450 push eax; mov dword ptr [esp], edx	16_2_00396464
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_003978D0 push es; ret	16_2_003978E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_00399A98 push 0000C36Dh; ret	16_2_00399C3A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 16_2_006ED027 push esp; retf	16_2_006ED035
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00BB0810 pushad ; retf	19_2_00BB0811
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_00BB0C30 push eax; mov dword ptr [esp], edx	19_2_00BB0C44
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_0106A2D1 push FF580101h; retf	19_2_0106A2D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 19_2_01064E38 push FFFFFF8Bh; retf	19_2_01064E23

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shell

Jump to behavior

Creates autostart registry keys with suspicious names

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>

Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>			Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exe			Jump to behavior

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe			Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe\:Zone.Identifier:$DATA			Jump to behavior

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 374	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 612	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Window / User API: threadDelayed 2280

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 6212	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 4696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348	Thread sleep count: 236 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep count: 331 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5928	Thread sleep count: 286 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6328	Thread sleep count: 88 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4568	Thread sleep count: 220 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 644	Thread sleep count: 115 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1112	Thread sleep count: 62 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 360	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 6816	Thread sleep count: 95 > 30
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 6816	Thread sleep count: 2280 > 30

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Payment_Advice_pdf.exe, 00000000.00000003.308077244.0000000001196000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Payment_Advice_pdf.exe, 0000001B.00000002.525708728.0000000000BF9000.00000004.00000020.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.524461670.0000000001281000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 0000000D.00000002.534697532.00000000048A2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.587753653.0000000004F55000.00000004.00000001.sdmp, powershell.exe, 00000010.00000002.614459908.00000000048A3000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Adds a directory exclusion to Windows Defender

Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Memory written: C:\Users\user\Desktop\Payment_Advice_pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Process created: C:\Users\user\Desktop\Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe	Jump to behavior

Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe VolumeInformation

Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Advice_pdf.exe PID: 6728, type: MEMORY
Source: Yara match	File source: 22.2.Payment_Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Advice_pdf.exe PID: 6728, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_Advice_pdf.exe PID: 6728, type: MEMORY
Source: Yara match	File source: 22.2.Payment_Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPE

ID:	324331
Product:	CloudBasic
Start time:	06:47:57
Start date:	29.11.2020
Sample:	Payment_Advice_pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	536cf4ed17eba1bf41ef70faaa2054a4
SHA1:	72e062dd7a10d8b9e66732d5037c5156a9741d30
SHA256:	c8ad1b5688fbbc359ee4256d3c7fbca2d09bdd4968000dc8ffb86bb9964ac213
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Advice_pdf.exe.log	ASCII text, with CRLF line terminators	6601BE2C4834904CD917BA61AE5C10E2	2AB6A81BFA9DC031F5D2538AB94FC99074AD5241	85212C0C71D214CD899B0E3FDD41A1D149E44FEFA5DD42B419B2299BC6FCC34F
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24fphy4r.0gs.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52egkfrp.jkl.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bppwvxmq.v5t.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clsntrj5.a1a.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fwsc2twm.abg.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lv3izpro.emd.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmdcdr4n.tid.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxulzjog.0pn.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	536CF4ED17EBA1BF41EF70FAAA2054A4	72E062DD7A10D8B9E66732D5037C5156A9741D30	C8AD1B5688FBBC359EE4256D3C7FBCA2D09BDD4968000DC8FFB86BB9964AC213
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20201129\PowerShell_transcript.103386.JJDrYbN8.20201129064938.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	EF7B79CA905D042D66413FBDCF5DCDBF	66857605BB4F8B535CD14C9EF58356B7A64B40BA	EA4E25DF8980DECDD46A1F43C64433A52C9F28ECFF87491622F9446F5B788600
C:\Users\user\Documents\20201129\PowerShell_transcript.103386.VthBuP45.20201129064936.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	B61E1B38F5A52C9C70308B3313727171	70CEA769F553FD5D183CC384D8BA35DBC02CFE2A	3B342B75D223229FD4C12ED07611CC69C177CFD7452BAE9C28E860052EBB42BD
C:\Users\user\Documents\20201129\PowerShell_transcript.103386.loZpncW0.20201129064934.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F15BE5A6925D17D92F9A119AA38CA51F	2608202B911882C6088D93169D4F1FA10E037FB1	ADAC5C16AF66849262785A58D4A99C9EA9FEAADE4091A489CCCA041A1D2128BD
C:\Users\user\Documents\20201129\PowerShell_transcript.103386.z_ziTDYA.20201129064937.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	FDFA077639A382123DC963D7DB1589C0	D98CDEAA8B6FC7243E40D80D52F53C995BF0B413	2FE16B41DBFEBD40DF624B046CBBFEB051F98EF96998FDBF7F8797F31FB55CD3

Analysis Report Payment_Advice_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains