Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Payment_Advice_pdf.exe

Overview

General Information

Sample Name:Payment_Advice_pdf.exe
Analysis ID:324331
MD5:536cf4ed17eba1bf41ef70faaa2054a4
SHA1:72e062dd7a10d8b9e66732d5037c5156a9741d30
SHA256:c8ad1b5688fbbc359ee4256d3c7fbca2d09bdd4968000dc8ffb86bb9964ac213
Tags:Agentteslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Payment_Advice_pdf.exe (PID: 4392 cmdline: 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' MD5: 536CF4ED17EBA1BF41EF70FAAA2054A4)
    • timeout.exe (PID: 4488 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 4616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6924 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6948 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7008 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7104 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Payment_Advice_pdf.exe (PID: 6728 cmdline: C:\Users\user\Desktop\Payment_Advice_pdf.exe MD5: 536CF4ED17EBA1BF41EF70FAAA2054A4)
  • Payment_Advice_pdf.exe (PID: 5600 cmdline: 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' MD5: 536CF4ED17EBA1BF41EF70FAAA2054A4)
  • Payment_Advice_pdf.exe (PID: 6944 cmdline: 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' MD5: 536CF4ED17EBA1BF41EF70FAAA2054A4)
    • timeout.exe (PID: 4404 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Payment_Advice_pdf.exe (PID: 5360 cmdline: 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' MD5: 536CF4ED17EBA1BF41EF70FAAA2054A4)
  • Payment_Advice_pdf.exe (PID: 5916 cmdline: 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' MD5: 536CF4ED17EBA1BF41EF70FAAA2054A4)
  • Payment_Advice_pdf.exe (PID: 5536 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' MD5: 536CF4ED17EBA1BF41EF70FAAA2054A4)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: Payment_Advice_pdf.exe PID: 6728JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: Payment_Advice_pdf.exe PID: 6728JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            22.2.Payment_Advice_pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeMetadefender: Detection: 18%Perma Link
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeReversingLabs: Detection: 48%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Payment_Advice_pdf.exeVirustotal: Detection: 39%Perma Link
              Source: Payment_Advice_pdf.exeMetadefender: Detection: 18%Perma Link
              Source: Payment_Advice_pdf.exeReversingLabs: Detection: 48%
              Source: 22.2.Payment_Advice_pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Networking:

              barindex
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: hastebin.com
              Source: unknownDNS query: name: pastebin.com
              Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
              Source: Joe Sandbox ViewIP Address: 104.23.98.190 104.23.98.190
              Source: Joe Sandbox ViewIP Address: 172.67.143.180 172.67.143.180
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS traffic detected: queries for: hastebin.com
              Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: Payment_Advice_pdf.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: Payment_Advice_pdf.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: powershell.exe, 0000000D.00000002.517611780.0000000000A88000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: Payment_Advice_pdf.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omn
              Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: Payment_Advice_pdf.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/Cloudfl
              Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: Payment_Advice_pdf.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: Payment_Advice_pdf.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: http://oTJwpq.com
              Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.533472572.000000000349C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.525801719.00000000012D0000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: Payment_Advice_pdf.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: Payment_Advice_pdf.exeString found in binary or memory: http://ocsp.digicert.com0O
              Source: Payment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digp
              Source: powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngTG
              Source: powershell.exe, 0000000D.00000002.535392577.000000000498D000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 0000000D.00000002.532936323.0000000004761000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.532691170.0000000004A81000.00000004.00000001.sdmp, powershell.exe, 00000010.00000002.585877442.0000000004761000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.535729267.0000000004B51000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000D.00000002.535392577.000000000498D000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlTG
              Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: Payment_Advice_pdf.exe, 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/PesterTG
              Source: Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/asixarufey
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/caqubavere
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/foqosepayu
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/fufufevuxa
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/noqadobanu
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/onikuyajar
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/oqigugirew
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/saconikone
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/userirulod
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/walodekari
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/yafimefexo
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/yimijojino
              Source: Payment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.com/raw/zegivutiko
              Source: Payment_Advice_pdf.exe, 0000001B.00000002.536730759.0000000002A8C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.537590651.00000000036B9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.533702642.00000000030C3000.00000004.00000001.sdmpString found in binary or memory: https://hastebin.comD8
              Source: powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: Payment_Advice_pdf.exe, 0000001B.00000002.533241996.000000000291C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.536730759.0000000002A8C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.537590651.00000000036B9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.533702642.00000000030C3000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.533400666.00000000030AC000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
              Source: Payment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmpString found in binary or memory: https://www.digicert.co
              Source: Payment_Advice_pdf.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: Payment_Advice_pdf.exe, 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: Payment_Advice_pdf.exe, 00000020.00000002.522672763.000000000122B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary:

              barindex
              .NET source code contains very large stringsShow sources
              Source: Payment_Advice_pdf.exe, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.csLong String: Length: 75040
              Source: Payment_Advice_pdf.exe.0.dr, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.csLong String: Length: 75040
              Source: 0.0.Payment_Advice_pdf.exe.a20000.0.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.csLong String: Length: 75040
              Source: 22.0.Payment_Advice_pdf.exe.840000.0.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.csLong String: Length: 75040
              Source: 22.2.Payment_Advice_pdf.exe.840000.1.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.csLong String: Length: 75040
              Source: 23.2.Payment_Advice_pdf.exe.db0000.0.unpack, Dfefcbbdbedeeeacebdceebcecee/Eaeecddaaefdcbdbfbefdeebb.csLong String: Length: 75040
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: Payment_Advice_pdf.exe
              Source: initial sampleStatic PE information: Filename: Payment_Advice_pdf.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0080EDA8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0080A570
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0081A0C0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0081F890
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0081E028
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_0081BCF8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00DE1088
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00DEF528
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_01196848
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_01197CE0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0487C9B0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0487EA10
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00386ED0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00387F60
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00398458
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00390040
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_0039B448
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00391870
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00396E70
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_006E7F38
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_006EAFD0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_0102B150
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_010284B8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_01066F88
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_01068010
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_010643C0
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 22_2_012B46A0
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 22_2_012B4630
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 22_2_012B4690
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 23_2_014C0468
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 23_2_014C0457
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 25_2_01850468
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 25_2_01850457
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 27_2_00B80468
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 27_2_00B80457
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 28_2_01660468
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeCode function: 28_2_01660457
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeCode function: 32_2_014B0468
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeCode function: 32_2_014B0457
              Source: Payment_Advice_pdf.exeStatic PE information: invalid certificate
              Source: Payment_Advice_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Payment_Advice_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Payment_Advice_pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Payment_Advice_pdf.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Payment_Advice_pdf.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Payment_Advice_pdf.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Payment_Advice_pdf.exe, 00000000.00000003.316353924.0000000005E67000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exeBinary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 00000016.00000000.333815367.0000000000842000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exeBinary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 00000017.00000002.357200362.00000000015FA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 00000017.00000000.343447880.0000000000DB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exeBinary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 00000019.00000002.509305247.0000000000E52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 00000019.00000002.521307297.000000000161A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exeBinary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 0000001B.00000002.524460175.0000000000BA9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 0000001B.00000002.509293707.0000000000372000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exeBinary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 0000001C.00000002.509221914.0000000000E62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exeBinary or memory string: OriginalFilename vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 00000020.00000002.508979983.0000000000BB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exeBinary or memory string: OriginalFilenamewitadmin.exe~/ vs Payment_Advice_pdf.exe
              Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@26/15@13/2
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5772:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\642ea71a-359c-4338-a04f-1ead15fc1a7aJump to behavior
              Source: Payment_Advice_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Payment_Advice_pdf.exeVirustotal: Detection: 39%
              Source: Payment_Advice_pdf.exeMetadefender: Detection: 18%
              Source: Payment_Advice_pdf.exeReversingLabs: Detection: 48%
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile read: C:\Users\user\Desktop\Payment_Advice_pdf.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe
              Source: unknownProcess created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\Payment_Advice_pdf.exe 'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Users\user\Desktop\Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: Payment_Advice_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Payment_Advice_pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbs source: powershell.exe, 0000000D.00000002.517611780.0000000000A88000.00000004.00000001.sdmp
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_008131C0 push ebx; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00815AF8 push eax; mov dword ptr [esp], edx
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00818DC0 push es; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00815EB0 push eax; mov dword ptr [esp], edx
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00818FE1 push eax; mov dword ptr [esp], ecx
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00DE0690 push es; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00DE0A81 push es; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0119C891 push 3800B793h; retf
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0119D241 push eax; retf
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_0487D5A0 push es; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00385D51 push eax; mov dword ptr [esp], edx
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00392160 push eax; mov dword ptr [esp], edx
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00396260 push es; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00396450 push eax; mov dword ptr [esp], edx
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_003978D0 push es; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00399A98 push 0000C36Dh; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_006ED027 push esp; retf
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00BB0810 pushad ; retf
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00BB0C30 push eax; mov dword ptr [esp], edx
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_0106A2D1 push FF580101h; retf
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_01064E38 push FFFFFF8Bh; retf
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeJump to dropped file

              Boot Survival:

              barindex
              Creates an undocumented autostart registry key Show sources
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shellJump to behavior
              Creates autostart registry keys with suspicious namesShow sources
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
              Creates multiple autostart registry keysShow sources
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exeJump to behavior
              Drops PE files to the startup folderShow sources
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeJump to dropped file
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe\:Zone.Identifier:$DATAJump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <Unknown>Jump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 374
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 612
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeWindow / User API: threadDelayed 2280
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 6212Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 4696Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144Thread sleep time: -6456360425798339s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep count: 236 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep count: 59 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep count: 64 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908Thread sleep count: 331 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5928Thread sleep count: 286 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6328Thread sleep count: 88 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4568Thread sleep count: 220 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 644Thread sleep count: 115 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1112Thread sleep count: 62 > 30
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 360Thread sleep time: -9223372036854770s >= -30000s
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 6816Thread sleep count: 95 > 30
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exe TID: 6816Thread sleep count: 2280 > 30
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Payment_Advice_pdf.exe, 00000000.00000003.308077244.0000000001196000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
              Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Payment_Advice_pdf.exe, 0000001B.00000002.525708728.0000000000BF9000.00000004.00000020.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.524461670.0000000001281000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: powershell.exe, 0000000D.00000002.534697532.00000000048A2000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.587753653.0000000004F55000.00000004.00000001.sdmp, powershell.exe, 00000010.00000002.614459908.00000000048A3000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
              Source: Payment_Advice_pdf.exe, 00000016.00000002.603196546.0000000005D10000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.536243626.0000000005910000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.529605225.0000000000E40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Adds a directory exclusion to Windows DefenderShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeMemory written: C:\Users\user\Desktop\Payment_Advice_pdf.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeProcess created: C:\Users\user\Desktop\Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe
              Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: Payment_Advice_pdf.exe, 00000016.00000002.530003686.0000000001670000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000019.00000002.525926020.0000000001DA0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.531190840.00000000012D0000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.530154769.0000000001D50000.00000002.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.530081844.00000000019A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeQueries volume information: C:\Users\user\Desktop\Payment_Advice_pdf.exe VolumeInformation
              Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe VolumeInformation
              Source: C:\Users\user\Desktop\Payment_Advice_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment_Advice_pdf.exe PID: 6728, type: MEMORY
              Source: Yara matchFile source: 22.2.Payment_Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment_Advice_pdf.exe PID: 6728, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Payment_Advice_pdf.exe PID: 6728, type: MEMORY
              Source: Yara matchFile source: 22.2.Payment_Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211Startup Items1Startup Items1Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder421Process Injection112Virtualization/Sandbox Evasion14LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder421Disable or Modify Tools11Security Account ManagerVirtualization/Sandbox Evasion14SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery113Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324331 Sample: Payment_Advice_pdf.exe Startdate: 29/11/2020 Architecture: WINDOWS Score: 100 47 pastebin.com 2->47 49 hastebin.com 2->49 51 g.msn.com 2->51 57 Multi AV Scanner detection for dropped file 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected AgentTesla 2->61 65 3 other signatures 2->65 8 Payment_Advice_pdf.exe 24 7 2->8         started        13 Payment_Advice_pdf.exe 2->13         started        15 Payment_Advice_pdf.exe 2->15         started        17 3 other processes 2->17 signatures3 63 Connects to a pastebin service (likely for C&C) 49->63 process4 dnsIp5 53 pastebin.com 104.23.98.190, 443, 49725, 49743 CLOUDFLARENETUS United States 8->53 55 hastebin.com 172.67.143.180, 443, 49720 CLOUDFLARENETUS United States 8->55 41 C:\Users\user\...\Payment_Advice_pdf.exe, PE32 8->41 dropped 43 C:\...\Payment_Advice_pdf.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\...\Payment_Advice_pdf.exe.log, ASCII 8->45 dropped 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->67 69 Creates an undocumented autostart registry key 8->69 71 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->71 73 5 other signatures 8->73 19 powershell.exe 9 8->19         started        21 powershell.exe 8 8->21         started        23 powershell.exe 8 8->23         started        27 3 other processes 8->27 25 timeout.exe 13->25         started        file6 signatures7 process8 process9 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 27->39         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Payment_Advice_pdf.exe39%VirustotalBrowse
              Payment_Advice_pdf.exe19%MetadefenderBrowse
              Payment_Advice_pdf.exe48%ReversingLabsByteCode-MSIL.Trojan.Generic

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe19%MetadefenderBrowse
              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe48%ReversingLabsByteCode-MSIL.Trojan.Generic

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              22.2.Payment_Advice_pdf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://ocsp.digp0%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://hastebin.comD80%Avira URL Cloudsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://www.digicert.co0%VirustotalBrowse
              https://www.digicert.co0%Avira URL Cloudsafe
              https://contoso.com/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.pngTG0%Avira URL Cloudsafe
              http://oTJwpq.com0%Avira URL Cloudsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              hastebin.com
              		172.67.143.180
              		truefalse
                		high
                pastebin.com
                		104.23.98.190
                		truefalse
                  		high
                  g.msn.com
                  		unknown
                  		unknownfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://hastebin.comPayment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                      		high
                      http://127.0.0.1:HTTP/1.1Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://nuget.org/NuGet.exepowershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmpfalse
                        		high
                        http://ocsp.digpPayment_Advice_pdf.exe, 00000000.00000003.309198205.00000000011E9000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://DynDns.comDynDNSPayment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://hastebin.com/raw/foqosepayuPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                          		high
                          https://hastebin.com/raw/noqadobanuPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                            		high
                            https://hastebin.com/raw/zegivutikoPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                              		high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000D.00000002.535392577.000000000498D000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmpfalse
                                		high
                                https://hastebin.com/raw/walodekariPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                  		high
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPayment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmpfalse
                                    		high
                                    https://hastebin.com/raw/yafimefexoPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://hastebin.com/raw/onikuyajarPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                        		high
                                        https://hastebin.comD8Payment_Advice_pdf.exe, 0000001B.00000002.536730759.0000000002A8C000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.537590651.00000000036B9000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.533702642.00000000030C3000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://hastebin.com/raw/caqubaverePayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmpfalse
                                            		high
                                            https://hastebin.com/raw/fufufevuxaPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                              		high
                                              https://hastebin.com/raw/saconikonePayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                                		high
                                                https://api.ipify.orgGETMozilla/5.0Payment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://hastebin.com/raw/asixarufeyPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://www.digicert.coPayment_Advice_pdf.exe, 0000001B.00000002.527256543.0000000000C44000.00000004.00000020.sdmpfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://api.telegram.org/bot%telegramapi%/Payment_Advice_pdf.exe, 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000D.00000002.535392577.000000000498D000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.537783198.0000000004C8E000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://contoso.com/powershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://github.com/Pester/PesterTGpowershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 00000013.00000002.601790285.0000000005BB5000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://pesterbdd.com/images/Pester.pngTGpowershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlTGpowershell.exe, 0000000F.00000002.535899338.0000000004BC1000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://oTJwpq.comPayment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000D.00000002.532936323.0000000004761000.00000004.00000001.sdmp, powershell.exe, 0000000F.00000002.532691170.0000000004A81000.00000004.00000001.sdmp, powershell.exe, 00000010.00000002.585877442.0000000004761000.00000004.00000001.sdmp, powershell.exe, 00000013.00000002.535729267.0000000004B51000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xPayment_Advice_pdf.exe, 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://hastebin.com/raw/oqigugirewPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPayment_Advice_pdf.exe, 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://hastebin.com/raw/yimijojinoPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://hastebin.com/raw/userirulodPayment_Advice_pdf.exe, 00000019.00000002.529670733.000000000324E000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001B.00000002.532494643.00000000028C1000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 0000001C.00000002.532784461.0000000003441000.00000004.00000001.sdmp, Payment_Advice_pdf.exe, 00000020.00000002.532690166.0000000003051000.00000004.00000001.sdmpfalse
                                                                      		high

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      104.23.98.190
                                                                      		unknownUnited States
                                                                      		13335CLOUDFLARENETUSfalse
                                                                      172.67.143.180
                                                                      		unknownUnited States
                                                                      		13335CLOUDFLARENETUSfalse

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                                      Analysis ID:324331
                                                                      Start date:29.11.2020
                                                                      Start time:06:47:57
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 14m 17s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:Payment_Advice_pdf.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:37
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.adwa.evad.winEXE@26/15@13/2
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 0.6% (good quality ratio 0.6%)
                                                                      • Quality average: 93.8%
                                                                      • Quality standard deviation: 7.8%
                                                                      HCA Information:
                                                                      • Successful, ratio: 96%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                      • TCP Packets have been reduced to 100
                                                                      • Excluded IPs from analysis (whitelisted): 168.61.161.212, 104.43.193.48, 2.20.84.85, 51.11.168.160, 20.54.26.129, 51.103.5.159, 52.142.114.176, 92.122.213.194, 92.122.213.247, 51.104.144.132, 52.155.217.156
                                                                      • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      06:49:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                      06:49:40API Interceptor17x Sleep call for process: Payment_Advice_pdf.exe modified
                                                                      06:49:44AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                      06:49:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run <Unknown> C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                      06:50:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Payment_Advice_pdf.exe C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                      06:50:11AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe
                                                                      06:50:51API Interceptor25x Sleep call for process: powershell.exe modified
                                                                      06:51:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe
                                                                      06:51:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newapp C:\Users\user\AppData\Roaming\newapp\newapp.exe

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      104.23.98.190b095b966805abb7df4ffddf183def880.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      E1Q0TjeN32.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      6YCl3ATKJw.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      Hjnb15Nuc3.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      JDgYMW0LHW.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      4av8Sn32by.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      5T4Ykc0VSK.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      afvhKak0Ir.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      T6OcyQsUsY.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      1KITgJnGbI.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      PxwWcmbMC5.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      XnAJZR4NcN.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      PbTwrajNMX.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      22NO7gVJ7r.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      rE7DwszvrX.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      VjPHSJkwr6.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      wf86K0dpOP.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      VrR9J0FnSG.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      6C1MYmrVl1.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      aTZQZVVriQ.exeGet hashmaliciousBrowse
                                                                      • pastebin.com/raw/XMKKNkb0
                                                                      172.67.143.180OVERDUE INVOICE.xlsGet hashmaliciousBrowse
                                                                        Purchase Order.exeGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Mal.Generic-S.26042.exeGet hashmaliciousBrowse
                                                                            SecuriteInfo.com.Trojan.Siggen11.48004.19433.exeGet hashmaliciousBrowse
                                                                              CSq58hA6nO.exeGet hashmaliciousBrowse
                                                                                Order Catalogue Specifications.xlsxGet hashmaliciousBrowse
                                                                                  IFEvMPuK1t.exeGet hashmaliciousBrowse
                                                                                    PO91666. pdf.exeGet hashmaliciousBrowse
                                                                                      8DHgG635TK.exeGet hashmaliciousBrowse
                                                                                        NdAonNMuzm.exeGet hashmaliciousBrowse
                                                                                          9fv6IffZmA.exeGet hashmaliciousBrowse
                                                                                            plvSd6AoLp.exeGet hashmaliciousBrowse
                                                                                              w6r8DJTtvF.exeGet hashmaliciousBrowse
                                                                                                B67aSzPX6F.exeGet hashmaliciousBrowse
                                                                                                  3230_pdf.exeGet hashmaliciousBrowse
                                                                                                    P.O pdf pdf pdf pdf pdf ori40 ony.exeGet hashmaliciousBrowse
                                                                                                      Shipping Details_PDF.exeGet hashmaliciousBrowse
                                                                                                        #INVBEBON095834.pdf.exeGet hashmaliciousBrowse
                                                                                                          #INVBEBON095835.pdf.exeGet hashmaliciousBrowse
                                                                                                            xE08uG0aqO.exeGet hashmaliciousBrowse

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              pastebin.comBWPh61ydQN.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.99.190
                                                                                                              fAhW3JEGaZ.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.99.190
                                                                                                              HIp08HPg20.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              OVERDUE INVOICE.xlsGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              Venom.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.99.190
                                                                                                              PO348578.jarGet hashmaliciousBrowse
                                                                                                              • 104.23.99.190
                                                                                                              Purchase Order.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              SecuriteInfo.com.Trojan.Siggen11.49316.15393.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              SecuriteInfo.com.Trojan.Nanocore.23.20965.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              SecuriteInfo.com.Mal.Generic-S.26042.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              SecuriteInfo.com.BehavesLike.Win32.VirRansom.rm.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.99.190
                                                                                                              SecuriteInfo.com.Trojan.KillProc2.14740.25300.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.99.190
                                                                                                              due-invoice.xlsmGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              Order 51897.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.99.190
                                                                                                              Statement Of Account.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              http://ancien-site-joomla.fr/build2.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              BTNCRKWd.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              Shipment Details.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              7iZX0KCH4C.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              IFEvMPuK1t.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              hastebin.comOVERDUE INVOICE.xlsGet hashmaliciousBrowse
                                                                                                              • 172.67.143.180
                                                                                                              Venom.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.127.89
                                                                                                              Purchase Order.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.143.180
                                                                                                              SecuriteInfo.com.Mal.Generic-S.26042.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.126.89
                                                                                                              due-invoice.xlsmGet hashmaliciousBrowse
                                                                                                              • 104.24.127.89
                                                                                                              SecuriteInfo.com.Gen.NN.ZemsilF.34658.m0@a8V1yrei.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.126.89
                                                                                                              Order 51897.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.127.89
                                                                                                              AsyncClient.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.126.89
                                                                                                              Statement Of Account.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.127.89
                                                                                                              http://ancien-site-joomla.fr/build2.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.126.89
                                                                                                              SecuriteInfo.com.ArtemisTrojan.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.126.89
                                                                                                              SecuriteInfo.com.BackDoor.SpyBotNET.25.30157.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.127.89
                                                                                                              C03N224Hbu.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.126.89
                                                                                                              P.O_ 39134.xlsxGet hashmaliciousBrowse
                                                                                                              • 104.24.127.89
                                                                                                              EME.39134.xlsxGet hashmaliciousBrowse
                                                                                                              • 104.24.127.89
                                                                                                              SecuriteInfo.com.Trojan.Siggen11.48004.19433.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.143.180
                                                                                                              Order List.xlsxGet hashmaliciousBrowse
                                                                                                              • 104.24.127.89
                                                                                                              CSq58hA6nO.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.143.180
                                                                                                              Order Catalogue Specifications.xlsxGet hashmaliciousBrowse
                                                                                                              • 172.67.143.180
                                                                                                              Shipping Details_PDF.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.127.89

                                                                                                              ASN

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              CLOUDFLARENETUScase4092.xlsGet hashmaliciousBrowse
                                                                                                              • 104.31.86.113
                                                                                                              case4092.xlsGet hashmaliciousBrowse
                                                                                                              • 104.31.86.113
                                                                                                              SecuriteInfo.com.Exploit.Siggen3.2597.23127.xlsGet hashmaliciousBrowse
                                                                                                              • 172.67.212.16
                                                                                                              SecuriteInfo.com.Exploit.Siggen3.2597.23127.xlsGet hashmaliciousBrowse
                                                                                                              • 172.67.212.16
                                                                                                              Quote.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              DWG AND PO SPECIFICATION.xlsGet hashmaliciousBrowse
                                                                                                              • 104.20.138.65
                                                                                                              DWG AND PO SPECIFICATION.xlsGet hashmaliciousBrowse
                                                                                                              • 104.20.139.65
                                                                                                              egGgMixHNS.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.219.32
                                                                                                              BWPh61ydQN.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.135.233
                                                                                                              DWG AND PO SPECIFICATION.xlsGet hashmaliciousBrowse
                                                                                                              • 104.20.138.65
                                                                                                              egGgMixHNS.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.123.22
                                                                                                              5KYnVcv9cf.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.123.22
                                                                                                              5KYnVcv9cf.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.122.22
                                                                                                              DHL invoice VNYI564714692.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.135.232
                                                                                                              Order-Poland.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.134.233
                                                                                                              Novi poredak.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.135.233
                                                                                                              Customer Remittance Advice 9876627262822662.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.134.233
                                                                                                              94039330.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.134.233
                                                                                                              P1001094.EXEGet hashmaliciousBrowse
                                                                                                              • 162.159.134.233
                                                                                                              ompbSaRiK0.exeGet hashmaliciousBrowse
                                                                                                              • 104.18.53.239
                                                                                                              CLOUDFLARENETUScase4092.xlsGet hashmaliciousBrowse
                                                                                                              • 104.31.86.113
                                                                                                              case4092.xlsGet hashmaliciousBrowse
                                                                                                              • 104.31.86.113
                                                                                                              SecuriteInfo.com.Exploit.Siggen3.2597.23127.xlsGet hashmaliciousBrowse
                                                                                                              • 172.67.212.16
                                                                                                              SecuriteInfo.com.Exploit.Siggen3.2597.23127.xlsGet hashmaliciousBrowse
                                                                                                              • 172.67.212.16
                                                                                                              Quote.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.188.154
                                                                                                              DWG AND PO SPECIFICATION.xlsGet hashmaliciousBrowse
                                                                                                              • 104.20.138.65
                                                                                                              DWG AND PO SPECIFICATION.xlsGet hashmaliciousBrowse
                                                                                                              • 104.20.139.65
                                                                                                              egGgMixHNS.exeGet hashmaliciousBrowse
                                                                                                              • 172.67.219.32
                                                                                                              BWPh61ydQN.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.135.233
                                                                                                              DWG AND PO SPECIFICATION.xlsGet hashmaliciousBrowse
                                                                                                              • 104.20.138.65
                                                                                                              egGgMixHNS.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.123.22
                                                                                                              5KYnVcv9cf.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.123.22
                                                                                                              5KYnVcv9cf.exeGet hashmaliciousBrowse
                                                                                                              • 104.24.122.22
                                                                                                              DHL invoice VNYI564714692.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.135.232
                                                                                                              Order-Poland.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.134.233
                                                                                                              Novi poredak.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.135.233
                                                                                                              Customer Remittance Advice 9876627262822662.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.134.233
                                                                                                              94039330.exeGet hashmaliciousBrowse
                                                                                                              • 162.159.134.233
                                                                                                              P1001094.EXEGet hashmaliciousBrowse
                                                                                                              • 162.159.134.233
                                                                                                              ompbSaRiK0.exeGet hashmaliciousBrowse
                                                                                                              • 104.18.53.239

                                                                                                              JA3 Fingerprints

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                              3b5074b1b5d032e5620f69f9f700ff0eompbSaRiK0.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              XcOxlmOz4D.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              Venom.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              module.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              SecuriteInfo.com.Trojan.MulDrop15.61980.13868.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              SecuriteInfo.com.Trojan.PWS.Stealer.29618.24275.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              Purchase Order.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              SecuriteInfo.com.Trojan.MulDrop15.61981.23282.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              ORDER.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              Mixtec New Order And Price List Requsting Form_pdf.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              swift copy.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              26-11-20_Dhl_Signed_document-pdf.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              Arrivalnotice2020pdf.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              SecuriteInfo.com.Mal.Generic-S.26042.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              guy1.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              guy2.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              Exodus.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              INV-6367-20_pdf.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              #A06578987.xlsmGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180
                                                                                                              Order 51897.exeGet hashmaliciousBrowse
                                                                                                              • 104.23.98.190
                                                                                                              • 172.67.143.180

                                                                                                              Dropped Files

                                                                                                              No context

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment_Advice_pdf.exe.log
                                                                                                              Process:C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:modified
                                                                                                              Size (bytes):1216
                                                                                                              Entropy (8bit):5.355304211458859
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:MLU84qpE4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7GE4Kx1qE4KE4j:Mgv2HKXwYHKhQnoPtHoxHhAHKzvGHKxx
                                                                                                              MD5:6601BE2C4834904CD917BA61AE5C10E2
                                                                                                              SHA1:2AB6A81BFA9DC031F5D2538AB94FC99074AD5241
                                                                                                              SHA-256:85212C0C71D214CD899B0E3FDD41A1D149E44FEFA5DD42B419B2299BC6FCC34F
                                                                                                              SHA-512:2F825EC08F2A34A6540F862EDD948E5674D66C94E371C9EF3CDA0AA657E0A8EB8F6260A9EE7A582A1EC30C16CC8094ECC60F3406D2904A9AA0B38918205C5EA6
                                                                                                              Malicious:true
                                                                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutra
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24fphy4r.0gs.ps1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52egkfrp.jkl.psm1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bppwvxmq.v5t.ps1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clsntrj5.a1a.ps1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fwsc2twm.abg.ps1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lv3izpro.emd.psm1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmdcdr4n.tid.psm1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vxulzjog.0pn.psm1
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:very short file (no magic)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):1
                                                                                                              Entropy (8bit):0.0
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:U:U
                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                              Malicious:false
                                                                                                              Preview: 1
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe
                                                                                                              Process:C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):631776
                                                                                                              Entropy (8bit):5.351954264003962
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6144:9ktH7smB3jEe4PPDRQLv6DPc/cYeYUzz/OBOf7242COfS:mson4PL4vezOBOD242C0S
                                                                                                              MD5:536CF4ED17EBA1BF41EF70FAAA2054A4
                                                                                                              SHA1:72E062DD7A10D8B9E66732D5037C5156A9741D30
                                                                                                              SHA-256:C8AD1B5688FBBC359EE4256D3C7FBCA2D09BDD4968000DC8FFB86BB9964AC213
                                                                                                              SHA-512:67BF10D1EA495B97EF8DB595BE0A1E363E2FF4B1E2EB6B55048C8AFDAF95CCC6AF443AE55070EDF22E1B0964B08099ABBE20E52301061B48C041240FD47471EE
                                                                                                              Malicious:true
                                                                                                              Antivirus:
                                                                                                              • Antivirus: Metadefender, Detection: 19%, Browse
                                                                                                              • Antivirus: ReversingLabs, Detection: 48%
                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N.^.........."...0.................. ........@.. ...............................K....`.....................................O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......(...d...................P .......................................................................................................................................................................*. ....*.....90...(....9........r...p....(....(....*........(....*....*..(....*.0......D....U.... ....(.....#................(....& ....(.....#................(....& ....(.....#................(....& ....(..... ....(.....#................(....& ....(.....#................(....&
                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe:Zone.Identifier
                                                                                                              Process:C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):26
                                                                                                              Entropy (8bit):3.95006375643621
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:ggPYV:rPYV
                                                                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                              Malicious:true
                                                                                                              Preview: [ZoneTransfer]....ZoneId=0
                                                                                                              C:\Users\user\Documents\20201129\PowerShell_transcript.103386.JJDrYbN8.20201129064938.txt
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):690
                                                                                                              Entropy (8bit):5.374884313341398
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:57DtSA6N4xYiTH3fBTj5oy/x2DOzzUjjIneSuVReTA64WoVPw6jewGxMKjX4CIyv:BxSAMiDvBBt/x2DOXUWeSuVReM64W8Hy
                                                                                                              MD5:EF7B79CA905D042D66413FBDCF5DCDBF
                                                                                                              SHA1:66857605BB4F8B535CD14C9EF58356B7A64B40BA
                                                                                                              SHA-256:EA4E25DF8980DECDD46A1F43C64433A52C9F28ECFF87491622F9446F5B788600
                                                                                                              SHA-512:7BC7AA96989DB17BF3255F72BBE074F552FCD6082892C6BD18B87A197353671A88261936716FEA777E1F9FF7D40684102B40609C26016995BEB8301B627FC0A5
                                                                                                              Malicious:false
                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201129065027..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 103386 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\Payment_Advice_pdf.exe -Force..Process ID: 7104..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..
                                                                                                              C:\Users\user\Documents\20201129\PowerShell_transcript.103386.VthBuP45.20201129064936.txt
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):744
                                                                                                              Entropy (8bit):5.386572842518841
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:57DtSA6N4xXTH3fBTj5oy/x2DOzzUjjIneSuSHSuVM1t2X9TA64WoEPw6jewGxMy:BxSADDvBBt/x2DOXUWeSuvuVMyM64WNS
                                                                                                              MD5:B61E1B38F5A52C9C70308B3313727171
                                                                                                              SHA1:70CEA769F553FD5D183CC384D8BA35DBC02CFE2A
                                                                                                              SHA-256:3B342B75D223229FD4C12ED07611CC69C177CFD7452BAE9C28E860052EBB42BD
                                                                                                              SHA-512:985CA19BA3318E267D0F5CC823195A836B0FC60053345EDCB5C89DB3B293EA17874D88438A119D732B3692300DDC346D2B144FFD8D800ED2104DF1B0F1A73D07
                                                                                                              Malicious:false
                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201129065032..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 103386 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe -Force..Process ID: 7008..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..
                                                                                                              C:\Users\user\Documents\20201129\PowerShell_transcript.103386.loZpncW0.20201129064934.txt
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):972
                                                                                                              Entropy (8bit):5.340417633985651
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:24:BxSAO1DvBBt/x2DOXUWeSuvuVMyM64WEUHjeTKKjX4CIym1ZJXPuvuVMyM6k:BZCv/toO+SsuJblqDYB1ZNsuJk
                                                                                                              MD5:F15BE5A6925D17D92F9A119AA38CA51F
                                                                                                              SHA1:2608202B911882C6088D93169D4F1FA10E037FB1
                                                                                                              SHA-256:ADAC5C16AF66849262785A58D4A99C9EA9FEAADE4091A489CCCA041A1D2128BD
                                                                                                              SHA-512:90536976CCFC4E2B27F2FA1F60C44CA07007050F7273FC0F7DF73991A72245D909E89923482E876584EACA92B243BD4C397A5186FDA23404A9234131B97ACCD8
                                                                                                              Malicious:false
                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201129065013..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 103386 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe -Force..Process ID: 6924..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20201129065014..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe -Force..
                                                                                                              C:\Users\user\Documents\20201129\PowerShell_transcript.103386.z_ziTDYA.20201129064937.txt
                                                                                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):744
                                                                                                              Entropy (8bit):5.3922837398219405
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:12:57DtSA6N4xiTH3fBTj5oy/x2DOzzUjjIneSuSHSuVM1t2X9TA64WofyPw6jewGx9:BxSAODvBBt/x2DOXUWeSuvuVMyM64WaD
                                                                                                              MD5:FDFA077639A382123DC963D7DB1589C0
                                                                                                              SHA1:D98CDEAA8B6FC7243E40D80D52F53C995BF0B413
                                                                                                              SHA-256:2FE16B41DBFEBD40DF624B046CBBFEB051F98EF96998FDBF7F8797F31FB55CD3
                                                                                                              SHA-512:DBE91F7DA2DF097E0B5CF6F5192C7A1A4B5A1AF2FC0DE357F47A16F64A197DB8703D43EE0A567B863E0554DE6090D722F2B59F5CE339063711A2E29BA50F5A35
                                                                                                              Malicious:false
                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20201129065031..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 103386 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe -Force..Process ID: 6948..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                              Entropy (8bit):5.351954264003962
                                                                                                              TrID:
                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                              • Windows Screen Saver (13104/52) 0.07%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                              File name:Payment_Advice_pdf.exe
                                                                                                              File size:631776
                                                                                                              MD5:536cf4ed17eba1bf41ef70faaa2054a4
                                                                                                              SHA1:72e062dd7a10d8b9e66732d5037c5156a9741d30
                                                                                                              SHA256:c8ad1b5688fbbc359ee4256d3c7fbca2d09bdd4968000dc8ffb86bb9964ac213
                                                                                                              SHA512:67bf10d1ea495b97ef8db595be0a1e363e2ff4b1e2eb6b55048c8afdaf95ccc6af443ae55070edf22e1b0964b08099abbe20e52301061b48c041240fd47471ee
                                                                                                              SSDEEP:6144:9ktH7smB3jEe4PPDRQLv6DPc/cYeYUzz/OBOf7242COfS:mson4PL4vezOBOD242C0S
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N.^.........."...0.................. ........@.. ...............................K....`................................

                                                                                                              File Icon

                                                                                                              Icon Hash:5414746b4a511de8

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x48d2de
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:true
                                                                                                              Imagebase:0x400000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                              Time Stamp:0x5EA34EB2 [Fri Apr 24 20:40:18 2020 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:v4.0.30319
                                                                                                              OS Version Major:4
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:4
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:4
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                              Authenticode Signature

                                                                                                              Signature Valid:false
                                                                                                              Signature Issuer:C=US, L=New York, OU=Beebbecbbffabffdbbffedcdeecdb, O=Fadddee, CN=Eddcbdabcadbaebb
                                                                                                              Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                              Error Number:-2146762487
                                                                                                              Not Before, Not After
                                                                                                              • 11/26/2020 2:31:29 PM 11/26/2021 2:31:29 PM
                                                                                                              Subject Chain
                                                                                                              • C=US, L=New York, OU=Beebbecbbffabffdbbffedcdeecdb, O=Fadddee, CN=Eddcbdabcadbaebb
                                                                                                              Version:3
                                                                                                              Thumbprint MD5:DEFA3690708D3682B3E4D95E30B1BDE9
                                                                                                              Thumbprint SHA-1:78B16D9ABE3F03A2D7907298352F0447D308BA24
                                                                                                              Thumbprint SHA-256:1CF24A216D49C60783F64E313500C987149D11738D40B8EC45F2E3E20914B0EF
                                                                                                              Serial:009CB9CAA3873FF2621FE2496AE8C17F7F

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              jmp dword ptr [00402000h]
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al
                                                                                                              add byte ptr [eax], al

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x8d28c0x4f.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000xd7d8.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x990000x13e0.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x20000x8b2e40x8b400False0.177788725875data5.16846171058IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0x8e0000xd7d80xd800False0.240993923611data4.46718133319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0x9c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountry
                                                                                                              RT_ICON0x8e3700x9a4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                              RT_ICON0x8ed140x668dataEnglishUnited States
                                                                                                              RT_ICON0x8f37c0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2004318071, next used block 4286054399EnglishUnited States
                                                                                                              RT_ICON0x8f6640x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                              RT_ICON0x8f78c0xed9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                              RT_ICON0x906680xea8dataEnglishUnited States
                                                                                                              RT_ICON0x915100x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                                                                              RT_ICON0x91db80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                              RT_ICON0x923200xee9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                                                                              RT_ICON0x9320c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 0EnglishUnited States
                                                                                                              RT_ICON0x974340x25a8dataEnglishUnited States
                                                                                                              RT_ICON0x999dc0x10a8dataEnglishUnited States
                                                                                                              RT_ICON0x9aa840x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                              RT_GROUP_ICON0x9aeec0xbcdataEnglishUnited States
                                                                                                              RT_VERSION0x9afa80x440dataEnglishUnited States
                                                                                                              RT_MANIFEST0x9b3e80x3eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminatorsEnglishUnited States

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              mscoree.dll_CorExeMain

                                                                                                              Version Infos

                                                                                                              DescriptionData
                                                                                                              Assembly Version16.0.0.0
                                                                                                              LegalCopyright Microsoft Corporation. All rights reserved.
                                                                                                              InternalNamewitadmin.exe
                                                                                                              FileVersion16.166.30024.1 built by: releases/dev16/16.6-preview5 (77caed4305)
                                                                                                              CompanyNameMicrosoft Corporation
                                                                                                              Comments6b2f20d4
                                                                                                              ProductNameMicrosoft Visual Studio Azure DevOps Server
                                                                                                              ProductVersion16.166.30024.1
                                                                                                              FileDescriptionwitadmin.exe
                                                                                                              OriginalFilenamewitadmin.exe
                                                                                                              Translation0x0409 0x04b0

                                                                                                              Possible Origin

                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              EnglishUnited States

                                                                                                              Network Behavior

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 29, 2020 06:49:06.858720064 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:06.885519028 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:06.885683060 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:06.922310114 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:06.948971033 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:06.951082945 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:06.951127052 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:06.951248884 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:06.963032961 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:06.989978075 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:06.990125895 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.036216974 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.066555977 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.093046904 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265099049 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265120983 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265131950 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265144110 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265152931 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265167952 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265183926 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265196085 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265211105 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265225887 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265237093 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265252113 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265270948 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265286922 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265297890 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265310049 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.265345097 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.265405893 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.338573933 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338589907 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338603020 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338627100 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338630915 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338634968 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338650942 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338661909 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338670969 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338748932 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338773966 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338777065 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.338792086 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338809013 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338824034 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338866949 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.338916063 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338936090 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.338963985 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338979959 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.338996887 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339011908 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339031935 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339032888 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.339046001 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339092970 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.339143991 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339160919 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339175940 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339191914 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339211941 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339212894 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.339270115 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.339318037 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339370966 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339386940 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.339421988 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.380106926 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.412678003 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412694931 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412707090 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412719011 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412727118 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412739038 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412746906 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412758112 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412775993 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412791014 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412802935 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412863016 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412879944 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412894964 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412905931 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.412951946 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.413042068 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.413073063 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.413105965 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.413110971 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.413155079 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.413162947 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.413165092 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.413172007 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.413180113 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.413197041 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.413197041 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.413213968 CET44349720172.67.143.180192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.413275957 CET49720443192.168.2.5172.67.143.180
                                                                                                              Nov 29, 2020 06:49:07.413336039 CET44349720172.67.143.180192.168.2.5

                                                                                                              UDP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Nov 29, 2020 06:48:49.592431068 CET5475753192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:48:49.619355917 CET53547578.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:48:50.452881098 CET4999253192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:48:50.479872942 CET53499928.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:48:52.347913980 CET6007553192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:48:52.383404016 CET53600758.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:49:06.794851065 CET5501653192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:49:06.833525896 CET53550168.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:49:07.933543921 CET6434553192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:49:07.972069979 CET53643458.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:49:14.015892982 CET5712853192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:49:15.006133080 CET5712853192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:49:16.072524071 CET5712853192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:49:16.099591017 CET53571288.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:49:31.701009989 CET5479153192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:49:31.744827032 CET53547918.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:49:36.824596882 CET5046353192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:49:36.860050917 CET53504638.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:49:38.577140093 CET5039453192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:49:38.615976095 CET53503948.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:49:42.247489929 CET5853053192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:49:42.274691105 CET53585308.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:49:50.300962925 CET5381353192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:49:50.351768017 CET53538138.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:50:01.251828909 CET6373253192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:50:01.289098024 CET53637328.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:50:25.678795099 CET5734453192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:50:25.705877066 CET53573448.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:06.451838017 CET5445053192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:06.452275991 CET5926153192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:06.460237026 CET5715153192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:06.489944935 CET53592618.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:06.492084026 CET53544508.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:06.495630026 CET53571518.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:14.662991047 CET5941353192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:14.701637983 CET53594138.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:21.824026108 CET6051653192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:21.826122999 CET5164953192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:21.859415054 CET53605168.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:21.863610029 CET53516498.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:22.658529997 CET6508653192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:22.693871975 CET53650868.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:30.456788063 CET5643253192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:30.492680073 CET53564328.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:31.626458883 CET5292953192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:31.662272930 CET53529298.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:34.100285053 CET6431753192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:34.135688066 CET53643178.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:38.658795118 CET6100453192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:38.694324970 CET53610048.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:40.229526997 CET5689553192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:40.265198946 CET53568958.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:40.482561111 CET6237253192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:40.518327951 CET53623728.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:41.393907070 CET6151553192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:41.429419041 CET53615158.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:42.054263115 CET5667553192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:42.090038061 CET53566758.8.8.8192.168.2.5
                                                                                                              Nov 29, 2020 06:51:48.654684067 CET5717253192.168.2.58.8.8.8
                                                                                                              Nov 29, 2020 06:51:48.690429926 CET53571728.8.8.8192.168.2.5

                                                                                                              DNS Queries

                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                              Nov 29, 2020 06:49:06.794851065 CET192.168.2.58.8.8.80xfc83Standard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:49:36.824596882 CET192.168.2.58.8.8.80x3952Standard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:49:50.300962925 CET192.168.2.58.8.8.80xc052Standard query (0)g.msn.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.451838017 CET192.168.2.58.8.8.80x7226Standard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.452275991 CET192.168.2.58.8.8.80x71beStandard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.460237026 CET192.168.2.58.8.8.80xb643Standard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:14.662991047 CET192.168.2.58.8.8.80x8d0dStandard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:21.824026108 CET192.168.2.58.8.8.80x727Standard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:21.826122999 CET192.168.2.58.8.8.80xbb93Standard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:22.658529997 CET192.168.2.58.8.8.80xc7e8Standard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:31.626458883 CET192.168.2.58.8.8.80xb638Standard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:40.229526997 CET192.168.2.58.8.8.80x5cccStandard query (0)hastebin.comA (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:41.393907070 CET192.168.2.58.8.8.80x4c60Standard query (0)pastebin.comA (IP address)IN (0x0001)

                                                                                                              DNS Answers

                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                              Nov 29, 2020 06:49:06.833525896 CET8.8.8.8192.168.2.50xfc83No error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:49:06.833525896 CET8.8.8.8192.168.2.50xfc83No error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:49:06.833525896 CET8.8.8.8192.168.2.50xfc83No error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:49:36.860050917 CET8.8.8.8192.168.2.50x3952No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:49:36.860050917 CET8.8.8.8192.168.2.50x3952No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:49:50.351768017 CET8.8.8.8192.168.2.50xc052No error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.489944935 CET8.8.8.8192.168.2.50x71beNo error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.489944935 CET8.8.8.8192.168.2.50x71beNo error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.489944935 CET8.8.8.8192.168.2.50x71beNo error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.492084026 CET8.8.8.8192.168.2.50x7226No error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.492084026 CET8.8.8.8192.168.2.50x7226No error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.492084026 CET8.8.8.8192.168.2.50x7226No error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.495630026 CET8.8.8.8192.168.2.50xb643No error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.495630026 CET8.8.8.8192.168.2.50xb643No error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:06.495630026 CET8.8.8.8192.168.2.50xb643No error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:14.701637983 CET8.8.8.8192.168.2.50x8d0dNo error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:14.701637983 CET8.8.8.8192.168.2.50x8d0dNo error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:14.701637983 CET8.8.8.8192.168.2.50x8d0dNo error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:21.859415054 CET8.8.8.8192.168.2.50x727No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:21.859415054 CET8.8.8.8192.168.2.50x727No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:21.863610029 CET8.8.8.8192.168.2.50xbb93No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:21.863610029 CET8.8.8.8192.168.2.50xbb93No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:22.693871975 CET8.8.8.8192.168.2.50xc7e8No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:22.693871975 CET8.8.8.8192.168.2.50xc7e8No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:31.662272930 CET8.8.8.8192.168.2.50xb638No error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:31.662272930 CET8.8.8.8192.168.2.50xb638No error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:31.662272930 CET8.8.8.8192.168.2.50xb638No error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:40.265198946 CET8.8.8.8192.168.2.50x5cccNo error (0)hastebin.com104.24.126.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:40.265198946 CET8.8.8.8192.168.2.50x5cccNo error (0)hastebin.com104.24.127.89A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:40.265198946 CET8.8.8.8192.168.2.50x5cccNo error (0)hastebin.com172.67.143.180A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:41.429419041 CET8.8.8.8192.168.2.50x4c60No error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                                                              Nov 29, 2020 06:51:41.429419041 CET8.8.8.8192.168.2.50x4c60No error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)

                                                                                                              HTTPS Packets

                                                                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                              Nov 29, 2020 06:49:06.951127052 CET172.67.143.180443192.168.2.549720CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Jul 25 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sun Jul 25 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                              CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                              Nov 29, 2020 06:49:36.902630091 CET104.23.98.190443192.168.2.549725CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                              CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                              Nov 29, 2020 06:51:22.807216883 CET104.23.98.190443192.168.2.549743CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Aug 17 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Tue Aug 17 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                              CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                              Code Manipulations

                                                                                                              Statistics

                                                                                                              Behavior

                                                                                                              Click to jump to process

                                                                                                              System Behavior

                                                                                                              Analysis Process: Payment_Advice_pdf.exe PID: 4392 Parent PID: 5724

                                                                                                              General

                                                                                                              Start time:06:48:54
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
                                                                                                              Imagebase:0xa20000
                                                                                                              File size:631776 bytes
                                                                                                              MD5 hash:536CF4ED17EBA1BF41EF70FAAA2054A4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Reputation:low

                                                                                                              Analysis Process: timeout.exe PID: 4488 Parent PID: 4392

                                                                                                              General

                                                                                                              Start time:06:48:59
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:timeout 4
                                                                                                              Imagebase:0x350000
                                                                                                              File size:26112 bytes
                                                                                                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: conhost.exe PID: 4616 Parent PID: 4488

                                                                                                              General

                                                                                                              Start time:06:49:00
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff7ecfc0000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: powershell.exe PID: 6924 Parent PID: 4392

                                                                                                              General

                                                                                                              Start time:06:49:32
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
                                                                                                              Imagebase:0x12e0000
                                                                                                              File size:430592 bytes
                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Reputation:high

                                                                                                              Analysis Process: conhost.exe PID: 6932 Parent PID: 6924

                                                                                                              General

                                                                                                              Start time:06:49:32
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff7ecfc0000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language
                                                                                                              Reputation:high

                                                                                                              Analysis Process: powershell.exe PID: 6948 Parent PID: 4392

                                                                                                              General

                                                                                                              Start time:06:49:32
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
                                                                                                              Imagebase:0x12e0000
                                                                                                              File size:430592 bytes
                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET

                                                                                                              Analysis Process: powershell.exe PID: 7008 Parent PID: 4392

                                                                                                              General

                                                                                                              Start time:06:49:33
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe' -Force
                                                                                                              Imagebase:0x12e0000
                                                                                                              File size:430592 bytes
                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET

                                                                                                              Analysis Process: conhost.exe PID: 7016 Parent PID: 6948

                                                                                                              General

                                                                                                              Start time:06:49:33
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff7ecfc0000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language

                                                                                                              Analysis Process: conhost.exe PID: 7056 Parent PID: 7008

                                                                                                              General

                                                                                                              Start time:06:49:33
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff7ecfc0000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language

                                                                                                              Analysis Process: powershell.exe PID: 7104 Parent PID: 4392

                                                                                                              General

                                                                                                              Start time:06:49:33
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Payment_Advice_pdf.exe' -Force
                                                                                                              Imagebase:0x12e0000
                                                                                                              File size:430592 bytes
                                                                                                              MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET

                                                                                                              Analysis Process: conhost.exe PID: 5792 Parent PID: 7104

                                                                                                              General

                                                                                                              Start time:06:49:34
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff7ecfc0000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language

                                                                                                              Analysis Process: Payment_Advice_pdf.exe PID: 6728 Parent PID: 4392

                                                                                                              General

                                                                                                              Start time:06:49:39
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                                                              Imagebase:0x840000
                                                                                                              File size:631776 bytes
                                                                                                              MD5 hash:536CF4ED17EBA1BF41EF70FAAA2054A4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Yara matches:
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.509306076.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.532140773.0000000002C41000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                              Analysis Process: Payment_Advice_pdf.exe PID: 5600 Parent PID: 3472

                                                                                                              General

                                                                                                              Start time:06:49:44
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
                                                                                                              Imagebase:0xdb0000
                                                                                                              File size:631776 bytes
                                                                                                              MD5 hash:536CF4ED17EBA1BF41EF70FAAA2054A4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET

                                                                                                              Analysis Process: Payment_Advice_pdf.exe PID: 6944 Parent PID: 3472

                                                                                                              General

                                                                                                              Start time:06:49:53
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
                                                                                                              Imagebase:0xe50000
                                                                                                              File size:631776 bytes
                                                                                                              MD5 hash:536CF4ED17EBA1BF41EF70FAAA2054A4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET

                                                                                                              Analysis Process: Payment_Advice_pdf.exe PID: 5360 Parent PID: 3472

                                                                                                              General

                                                                                                              Start time:06:50:02
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
                                                                                                              Imagebase:0x370000
                                                                                                              File size:631776 bytes
                                                                                                              MD5 hash:536CF4ED17EBA1BF41EF70FAAA2054A4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET

                                                                                                              Analysis Process: Payment_Advice_pdf.exe PID: 5916 Parent PID: 3472

                                                                                                              General

                                                                                                              Start time:06:50:11
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Users\user\Desktop\Payment_Advice_pdf.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\Desktop\Payment_Advice_pdf.exe'
                                                                                                              Imagebase:0xe60000
                                                                                                              File size:631776 bytes
                                                                                                              MD5 hash:536CF4ED17EBA1BF41EF70FAAA2054A4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET

                                                                                                              Analysis Process: Payment_Advice_pdf.exe PID: 5536 Parent PID: 3472

                                                                                                              General

                                                                                                              Start time:06:50:20
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment_Advice_pdf.exe'
                                                                                                              Imagebase:0xbb0000
                                                                                                              File size:631776 bytes
                                                                                                              MD5 hash:536CF4ED17EBA1BF41EF70FAAA2054A4
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                              Antivirus matches:
                                                                                                              • Detection: 19%, Metadefender, Browse
                                                                                                              • Detection: 48%, ReversingLabs

                                                                                                              Analysis Process: timeout.exe PID: 4404 Parent PID: 6944

                                                                                                              General

                                                                                                              Start time:06:50:53
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                              Wow64 process (32bit):true
                                                                                                              Commandline:timeout 4
                                                                                                              Imagebase:0x350000
                                                                                                              File size:26112 bytes
                                                                                                              MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language

                                                                                                              Analysis Process: conhost.exe PID: 5772 Parent PID: 4404

                                                                                                              General

                                                                                                              Start time:06:50:54
                                                                                                              Start date:29/11/2020
                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                              Wow64 process (32bit):false
                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                              Imagebase:0x7ff7ecfc0000
                                                                                                              File size:625664 bytes
                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                              Has elevated privileges:true
                                                                                                              Has administrator privileges:true
                                                                                                              Programmed in:C, C++ or other language

                                                                                                              Disassembly

                                                                                                              Code Analysis

                                                                                                              Reset < >