Analysis Report Payment Confirmation.exe

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Payment Confirmation.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

ReversingLabs: Detection: 47%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Payment Confirmation.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.0.cvcvsdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.2.cvcvsdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.0.cvcvsdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.Payment Confirmation.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 7.0.cvcvsdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.2.cvcvsdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 8.0.cvcvsdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 3.1.cvcvsdf.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 0.2.Payment Confirmation.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: Payment Confirmation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0040A490 FindFirstFileA,GetLastError,		3_2_0040A490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00406B58 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		3_2_00406B58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0047EE4C FindFirstFileA,		3_2_0047EE4C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00465348 FindFirstFileA,		3_2_00465348

Networking:

Uses dynamic DNS services

Source: unknown

DNS query: name: martinboss.ddns.net

Contains functionality to download and execute PE files

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_004727B4 URLDownloadToFileA,ShellExecuteA,RtlExitUserThread,

3_2_004727B4

Contains functionality to upload files via FTP

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_00470278 FtpPutFileA,

3_2_00470278

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49722 -> 79.134.225.30:508

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 79.134.225.30 79.134.225.30

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Contains functionality to download additional files from the internet

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_004727B4 URLDownloadToFileA,ShellExecuteA,RtlExitUserThread,

3_2_004727B4

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: martinboss.ddns.net

Urls found in memory or binary data

Source: Payment Confirmation.exe	String found in binary or memory: http://technohub.in
Source: Payment Confirmation.exe	String found in binary or memory: http://www.technohub.in/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to capture and log keystrokes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [ESC]		3_2_0047F788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [F1]		3_2_0047F788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [F2]		3_2_0047F788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [DEL]		3_2_0047F788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [DEL]		3_2_0047F788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [INS]		3_2_0047F788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [SNAPSHOT]		3_2_0047F788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [LEFT]		3_2_0047F788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [RIGHT]		3_2_0047F788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [DOWN]		3_2_0047F788
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: [UP]		3_2_0047F788

Contains functionality to log keystrokes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0047F788 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,

3_2_0047F788

Contains functionality to log keystrokes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0047F788 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,

3_2_0047F788

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0047FD60 SetWindowsHookExA 0000000D,Function_0007F788,00000000,00000000

3_2_0047FD60

Contains functionality for read data from the clipboard

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_004083D6 OpenClipboard,

3_2_004083D6

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_00430F5C GetClipboardData,GlobalFix,GlobalUnWire,

3_2_00430F5C

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_00428440 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

3_2_00428440

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_00455020 GetMessagePos,GetKeyboardState,

3_2_00455020

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0047F788 CallNextHookEx,CallNextHookEx,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,MapVirtualKeyA,ToAscii,CallNextHookEx,

3_2_0047F788

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000008.00000003.365577575.00000000023BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.592032143.000000000238A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORY	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORY	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORY	Matched rule: DarkComet Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORY	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects DarkComet RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet RAT Author: botherder https://github.com/botherder
Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 Author: Kevin Breen <kevin@techanarchy.net>

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Yara detected DarkComet

Source: Yara match	File source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORY
Source: Yara match	File source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORY
Source: Yara match	File source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Confirmation.exe

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0044521C NtdllDefWindowProc_A,		3_2_0044521C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0043838C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,		3_2_0043838C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_004304E8 NtdllDefWindowProc_A,		3_2_004304E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00455220 SetWindowPos,NtdllDefWindowProc_A,GetCapture,		3_2_00455220
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00445968 SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,		3_2_00445968
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00461974 NtdllDefWindowProc_A,		3_2_00461974
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00445A48 SetActiveWindow,ShowWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,		3_2_00445A48
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 7_3_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,		7_3_030CC8DC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 7_3_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,		7_3_030CC8DC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 7_3_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,		7_3_030CC8DC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 7_3_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,		7_3_030CC8DC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 7_2_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,		7_2_030CC8DC

Contains functionality to delete services

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_004706C8 OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,

3_2_004706C8

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0040811E ExitWindowsEx,

3_2_0040811E

Detected potential crypto function

Source: C:\Users\user\Desktop\Payment Confirmation.exe	Code function: 0_2_0041BC60		0_2_0041BC60
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0043E01C		3_2_0043E01C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00402360		3_2_00402360
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0043838C		3_2_0043838C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00406414		3_2_00406414
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0045E7A4		3_2_0045E7A4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_004698D4		3_2_004698D4
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 7_3_0304FB68		7_3_0304FB68
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 7_3_0304FB68		7_3_0304FB68

Enables driver privileges

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Process token adjusted: Load Driver

Jump to behavior

Enables security privileges

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Process token adjusted: Security

Jump to behavior

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: String function: 00407BA8 appears 109 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: String function: 00405470 appears 41 times
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: String function: 0042121C appears 73 times
Source: C:\Users\user\Desktop\Payment Confirmation.exe	Code function: String function: 0041BC60 appears 72 times

PE file contains strange resources

Source: Payment Confirmation.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cvcvsdf.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Payment Confirmation.exe, 00000000.00000002.344091917.0000000002150000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Payment Confirmation.exe
Source: Payment Confirmation.exe, 00000000.00000000.325924992.000000000043C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Payment Confirmation.exe
Source: Payment Confirmation.exe	Binary or memory string: OriginalFilename1.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX vs Payment Confirmation.exe

Uses 32bit PE files

Source: Payment Confirmation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 00000008.00000003.365577575.00000000023BA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 00000003.00000002.592032143.000000000238A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: cvcvsdf.exe PID: 4820, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORY	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORY	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORY	Matched rule: DarkComet_2 date = 2013-01-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = DarkComet, version = 1.0
Source: Process Memory Space: cvcvsdf.exe PID: 7148, type: MEMORY	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet
Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_DarkComet date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects DarkComet RAT, reference = http://malwareconfig.com/stats/DarkComet
Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_1 author = botherder https://github.com/botherder, description = DarkComet RAT
Source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: DarkComet_3 date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/DarkComet

Binary contains paths to development resources

Source: Payment Confirmation.exe, 00000000.00000002.342440915.000000000043A000.00000004.00020000.sdmp, cvcvsdf.exe, 00000001.00000002.338400368.000000000043A000.00000004.00020000.sdmp, cvcvsdf.exe, 00000007.00000002.367404683.000000000043A000.00000004.00020000.sdmp	Binary or memory string: @*\AC:\warka\snakeRat\ssfff\55-ftp\NASHFTP.vbp
Source: Payment Confirmation.exe	Binary or memory string: C*\AC:\warka\snakeRat\ssfff\55-ftp\NASHFTP.vbp

Classification label

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.evad.winEXE@8/1@84/2

Contains functionality for error logging

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_004253A8 GetLastError,FormatMessageA,

3_2_004253A8

Contains functionality to check free disk space

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0040A74E GetDiskFreeSpaceA,

3_2_0040A74E

Contains functionality to create services

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,

3_2_00470968

Contains functionality to load and extract PE file embedded resources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0041C268 FindResourceA,LoadResource,SizeofResource,LockResource,

3_2_0041C268

Contains functionality to modify services (start/stop/modify)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_004705D0 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

3_2_004705D0

Creates files inside the user directory

Source: C:\Users\user\Desktop\Payment Confirmation.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Jump to behavior

Creates mutexes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\DC_MUTEX-VPUBE8K

Detected Delphi use of System.ParamCount()

Source: Yara match	File source: 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cvcvsdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cvcvsdf.exe.400000.0.raw.unpack, type: UNPACKEDPE

PE file has an executable .text section and no other executable section

Source: Payment Confirmation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using Borland Delphi (Probably coded in Delphi)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)

Source: C:\Users\user\Desktop\Payment Confirmation.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\Payment Confirmation.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\Payment Confirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample reads its own file content

Source: C:\Users\user\Desktop\Payment Confirmation.exe

File read: C:\Users\user\Desktop\Payment Confirmation.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Payment Confirmation.exe 'C:\Users\user\Desktop\Payment Confirmation.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe
Source: C:\Users\user\Desktop\Payment Confirmation.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\Payment Confirmation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0042EB3C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0042EB3C

PE file contains an invalid checksum

Source: cvcvsdf.exe.0.dr	Static PE information: real checksum: 0x40b44 should be: 0xe266c
Source: Payment Confirmation.exe	Static PE information: real checksum: 0x40b44 should be: 0xe266c

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Payment Confirmation.exe	Code function: 0_2_00403140 push cs; retf		0_2_00403144
Source: C:\Users\user\Desktop\Payment Confirmation.exe	Code function: 0_2_00403B78 push cs; retf		0_2_00403B7C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_004186D8 push ecx; mov dword ptr [esp], edx		3_2_004186DD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_004041D0 push eax; ret		3_2_0040420C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0042E1F0 push 0042E21Ch; ret		3_2_0042E214
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0042225C push 0042229Fh; ret		3_2_00422297
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0044A278 push ecx; mov dword ptr [esp], edx		3_2_0044A27C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_004302E8 push 00430348h; ret		3_2_00430340
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0041639A push 00416412h; ret		3_2_0041640A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0041639C push 00416412h; ret		3_2_0041640A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_004324A8 push 004324F4h; ret		3_2_004324EC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0045E4B4 push 0045E4E0h; ret		3_2_0045E4D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0044A51C push ecx; mov dword ptr [esp], edx		3_2_0044A520
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0042C598 push 0042C615h; ret		3_2_0042C60D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00430634 push 00430660h; ret		3_2_00430658
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00408724 push 00408766h; ret		3_2_0040875E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0045E7A4 push ecx; mov dword ptr [esp], eax		3_2_0045E7A9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0041086C push 00410898h; ret		3_2_00410890
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0044A818 push 0044A844h; ret		3_2_0044A83C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00418934 push ecx; mov dword ptr [esp], edx		3_2_00418939
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00418A54 push ecx; mov dword ptr [esp], edx		3_2_00418A59
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00418A98 push ecx; mov dword ptr [esp], edx		3_2_00418A9D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00420B54 push 00420BFFh; ret		3_2_00420BF7
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00430C7C push 00430CD6h; ret		3_2_00430CCE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00462C08 push 00462F34h; ret		3_2_00462F2C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00416D54 push 00416DA1h; ret		3_2_00416D99
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0047EE4C push 0047EEE8h; ret		3_2_0047EEE0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00420E54 push 00420E97h; ret		3_2_00420E8F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00438F0C push 00438F77h; ret		3_2_00438F6F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_004670F8 push 00467130h; ret		3_2_00467128
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0042B278 push 0042B348h; ret		3_2_0042B340

Persistence and Installation Behavior:

Contains functionality to download and launch executables

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_004727B4 URLDownloadToFileA,ShellExecuteA,RtlExitUserThread,

3_2_004727B4

Drops PE files

Source: C:\Users\user\Desktop\Payment Confirmation.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\Payment Confirmation.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\Payment Confirmation.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\Payment Confirmation.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Jump to behavior

Contains functionality to start windows services

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_004705D0 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

3_2_004705D0

Hooking and other Techniques for Hiding and Protection:

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0045843C IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,		3_2_0045843C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0043B134 IsIconic,		3_2_0043B134
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_004571F8 IsIconic,GetCapture,		3_2_004571F8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0043B1B0 GetWindowLongA,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongA,SetWindowLongA,ShowWindow,ShowWindow,		3_2_0043B1B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00457B00 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,		3_2_00457B00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0042DCA8 IsIconic,GetWindowPlacement,GetWindowRect,		3_2_0042DCA8

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0042EB3C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0042EB3C

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Payment Confirmation.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Payment Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

3_2_00444454

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: OpenSCManagerA,EnumServicesStatusA,CloseServiceHandle,

3_2_00470758

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Window / User API: threadDelayed 868

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe TID: 2916

Thread sleep time: -13888000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0040A490 FindFirstFileA,GetLastError,		3_2_0040A490
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00406B58 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,		3_2_00406B58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_0047EE4C FindFirstFileA,		3_2_0047EE4C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: 3_2_00465348 FindFirstFileA,		3_2_00465348

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0042EB3C LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_0042EB3C

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_00407BAE GetProcessHeap,

3_2_00407BAE

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 7_3_030CC8DC CreateProcessW,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,

7_3_030CC8DC

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Memory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_00468550 keybd_event,

3_2_00468550

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0047E068 WSAStartup,socket,WSACleanup,htons,inet_addr,gethostbyname,WSACleanup,RtlExitUserThread,connect,closesocket,RtlExitUserThread,mouse_event,SetCursorPos,mouse_event,mouse_event,SetCursorPos,mouse_event,mouse_event,SetCursorPos,mouse_event,mouse_event,closesocket,RtlExitUserThread,

3_2_0047E068

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: cvcvsdf.exe, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: cvcvsdf.exe, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Progman
Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Progmanjh@OFjj
Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWndjjh
Source: cvcvsdf.exe, 00000003.00000002.591760385.0000000000E50000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: cvcvsdf.exe, 00000003.00000002.591760385.0000000000E50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndjhXNF
Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndjh
Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: ProgmanU
Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndTrayNotifyWndTrayClockWClassjh
Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: ButtonShell_TrayWndj
Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Shell_traywndReBarWindow32jh
Source: cvcvsdf.exe, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Shell_traywnd
Source: cvcvsdf.exe, 00000003.00000002.590959377.0000000000400000.00000040.00000001.sdmp, cvcvsdf.exe, 00000008.00000002.365956885.0000000000400000.00000040.00000001.sdmp	Binary or memory string: Shell_TrayWndPjjh

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,		3_2_00406D1C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,		3_2_00406E28
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: GetLocaleInfoA,		3_2_0040D33C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe	Code function: GetLocaleInfoA,		3_2_0040D388

Contains functionality to query local / system time

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0040BCCC GetLocalTime,

3_2_0040BCCC

Contains functionality to query the account / user name

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_00470C6C GetUserNameA,LookupAccountNameA,IsValidSid,ConvertSidToStringSidA,GlobalFree,

3_2_00470C6C

Contains functionality to query windows version

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cvcvsdf.exe

Code function: 3_2_0040E31C GetVersionExA,

3_2_0040E31C