Analysis Report Payment Confirmation WRT547879808054962 -copy- PDF.exe

Overview

General Information

Sample Name:	Payment Confirmation WRT547879808054962 -copy- PDF.exe
Analysis ID:	385436
MD5:	4fd9b2fe130283684b83a724e907f9cc
SHA1:	7b76fc786ae6827a016008d8f673f965382df74f
SHA256:	c42183aaf2368c13bddd363af982f2725e599581869f08f9041d6cd0c47cfe41
Tags:	agenttesla
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Drops PE files to the startup folder

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Suspicious powershell command line found

AV process strings found (often used to terminate AV products)

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "francisco.branco@raposolda.ptraposowebmail.raposolda.ptdexter.chan.arkema@gmail.com"}

Multi AV Scanner detection for submitted file

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Virustotal: Detection: 7%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdb source: Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source:	Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdbL source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe:Zone.Identifier	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: http://WOxurg.com
Source: powershell.exe, 00000006.00000003.744257338.000000000336E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743248027.0000000008642000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743248027.0000000008642000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743248027.0000000008642000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792637500.0000000002853000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngL
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.762327814.0000000005241000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlL
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/PesterL
Source: powershell.exe, 00000006.00000002.766180901.0000000005AC4000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732872905.0000000002471000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732784004.0000000002456000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com/y4m5XX6QkrwADm0BE9F-KSc8YnyeZDSlbhZLWTjlFVYy-veD8YYcFqN28-tktG1NL85
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657303347.000000000319A000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657314649.00000000031A2000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com/y4mMeZFRcepSUvfHHz78iFvE-ZuqZc3MQxw65cL9BgxxRG8uSqXuaPfM-QzJZ6boj4Z
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792439393.0000000002826000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792585458.0000000002841000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com/y4mXLu603m3jm6-ClIGtC1Az35xWdigz4o0siY8DGpOvlqCOwFnvAGFtLpqNdNR5rqj
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657349528.000000000320B000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657277111.0000000003186000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732784004.0000000002456000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732944742.00000000024DA000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792439393.0000000002826000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792755020.00000000028AA000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com/y4mfan37UkvAP8TzysQzz8DHHDcbHobX5nJ5uM87bEKvhvSbPaxkqGBpPPXuMtIgMOn
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657314649.00000000031A2000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com46k
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732872905.0000000002471000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com46kpMH
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792585458.0000000002841000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com46kxM
Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=A263F254A0224137&resid=A263F254A0224137
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe	String found in binary or memory: https://onedrive.live.com/download?cid=A263F254A0224137&resid=A263F254A0224137%211108&authkey=AC8o8n
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b81B2D53Du002d07BFu002d4013u002d87C3u002d349BBF8AECD5u007d/u00352C67D0Cu002d96D7u002d44C6u002d9D85u002dBC68EC5FA093.cs	Large array initialization: .cctor: array initializer size 11967
Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b81B2D53Du002d07BFu002d4013u002d87C3u002d349BBF8AECD5u007d/u00352C67D0Cu002d96D7u002d44C6u002d9D85u002dBC68EC5FA093.cs	Large array initialization: .cctor: array initializer size 11967

Executable has a suspicious name (potential lure to open the executable)

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 11_2_00A4C124	11_2_00A4C124
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 11_2_00A4E560	11_2_00A4E560
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 11_2_00A4E570	11_2_00A4E570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F547A0	14_2_00F547A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F546B0	14_2_00F546B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F5D7A0	14_2_00F5D7A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C247A0	20_2_02C247A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C23E58	20_2_02C23E58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C280D1	20_2_02C280D1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C24790	20_2_02C24790
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C24710	20_2_02C24710
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C24730	20_2_02C24730

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\wscript.exe

Section loaded: scrobj.dll

Jump to behavior

Uses 32bit PE files

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal96.troj.adwa.evad.winEXE@17/5@12/1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210412

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

File created: C:\Users\user\AppData\Local\Temp\310197.js

Jump to behavior

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Virustotal: Detection: 7%

Source: unknown	Process created: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdb source: Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source:	Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdbL source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Data Obfuscation:

.NET source code contains potential unpacker

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.cb0000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.cb0000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.90000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.90000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.610000.1.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.610000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.330000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.330000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.8b0000.1.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.8b0000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 0_2_05623BB9 push eax; mov dword ptr [esp], edx	0_2_05623BCC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 11_2_00A4F930 pushad ; iretd	11_2_00A4F931
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00CBD95C push eax; ret	14_2_00CBD95D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00CBE32B push eax; ret	14_2_00CBE349
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F56A4F push edi; retf	14_2_00F56A5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F56B1F push ebx; retf	14_2_00F56B3A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F58EE1 push ebx; retf	14_2_00F58EEE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F516A1 push edx; retf	14_2_00F516AE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F59981 push ebx; retf	14_2_00F5998E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02BCE332 push eax; ret	20_2_02BCE349
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02BCD95C push eax; ret	20_2_02BCD95D

Boot Survival:

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\wscript.exe

PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains capabilities to detect virtual machines

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2389	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 606	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Window / User API: threadDelayed 2788	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Window / User API: threadDelayed 7055	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Window / User API: threadDelayed 413
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Window / User API: threadDelayed 9445

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\timeout.exe TID: 6112	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6764	Thread sleep count: 2389 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep count: 606 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6520	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5764	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5176	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5180	Thread sleep count: 2788 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5180	Thread sleep count: 7055 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 2792	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6152	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6304	Thread sleep count: 413 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6304	Thread sleep count: 9445 > 30

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe:Zone.Identifier	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: powershell.exe, 00000006.00000002.765881001.0000000005926000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx'_
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.656896998.00000000013C1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: powershell.exe, 00000006.00000002.765881001.0000000005926000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugFlags
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugObjectHandle

Enables debug privileges

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'			Jump to behavior

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743151064.000000000862E000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmp	Binary or memory string: \??\C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657349528.000000000320B000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732944742.00000000024DA000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792755020.00000000028AA000.00000004.00000001.sdmp	Binary or memory string: l.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657349528.000000000320B000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732944742.00000000024DA000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792755020.00000000028AA000.00000004.00000001.sdmp	Binary or memory string: l(C:\Program Files\AVG\Antivirus\AVGUI.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.734571526.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.795361955.00000000038FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.658331129.0000000004260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 7004, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 5568, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6756, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6064, type: MEMORY
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.3549198.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39177a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4278350.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.raw.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 5568, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6064, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.734571526.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.795361955.00000000038FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.658331129.0000000004260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 7004, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 5568, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6756, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6064, type: MEMORY
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.3549198.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39177a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4278350.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
onedrive.live.com	unknown	unknown
lniuzw.bn.files.1drv.com	unknown	unknown

AV Detection:

Found malware configuration

Source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "francisco.branco@raposolda.ptraposowebmail.raposolda.ptdexter.chan.arkema@gmail.com"}

Multi AV Scanner detection for submitted file

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Virustotal: Detection: 7%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdb source: Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source:	Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdbL source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe:Zone.Identifier	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: http://WOxurg.com
Source: powershell.exe, 00000006.00000003.744257338.000000000336E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743248027.0000000008642000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743248027.0000000008642000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743248027.0000000008642000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792637500.0000000002853000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.pngL
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.762327814.0000000005241000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlL
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/PesterL
Source: powershell.exe, 00000006.00000002.766180901.0000000005AC4000.00000004.00000001.sdmp	String found in binary or memory: https://go.micro
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732872905.0000000002471000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732784004.0000000002456000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com/y4m5XX6QkrwADm0BE9F-KSc8YnyeZDSlbhZLWTjlFVYy-veD8YYcFqN28-tktG1NL85
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657303347.000000000319A000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657314649.00000000031A2000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com/y4mMeZFRcepSUvfHHz78iFvE-ZuqZc3MQxw65cL9BgxxRG8uSqXuaPfM-QzJZ6boj4Z
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792439393.0000000002826000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792585458.0000000002841000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com/y4mXLu603m3jm6-ClIGtC1Az35xWdigz4o0siY8DGpOvlqCOwFnvAGFtLpqNdNR5rqj
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657349528.000000000320B000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657277111.0000000003186000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732784004.0000000002456000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732944742.00000000024DA000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792439393.0000000002826000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792755020.00000000028AA000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com/y4mfan37UkvAP8TzysQzz8DHHDcbHobX5nJ5uM87bEKvhvSbPaxkqGBpPPXuMtIgMOn
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657314649.00000000031A2000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com46k
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732872905.0000000002471000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com46kpMH
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792585458.0000000002841000.00000004.00000001.sdmp	String found in binary or memory: https://lniuzw.bn.files.1drv.com46kxM
Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=A263F254A0224137&resid=A263F254A0224137
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe	String found in binary or memory: https://onedrive.live.com/download?cid=A263F254A0224137&resid=A263F254A0224137%211108&authkey=AC8o8n
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b81B2D53Du002d07BFu002d4013u002d87C3u002d349BBF8AECD5u007d/u00352C67D0Cu002d96D7u002d44C6u002d9D85u002dBC68EC5FA093.cs	Large array initialization: .cctor: array initializer size 11967
Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b81B2D53Du002d07BFu002d4013u002d87C3u002d349BBF8AECD5u007d/u00352C67D0Cu002d96D7u002d44C6u002d9D85u002dBC68EC5FA093.cs	Large array initialization: .cctor: array initializer size 11967

Executable has a suspicious name (potential lure to open the executable)

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 11_2_00A4C124	11_2_00A4C124
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 11_2_00A4E560	11_2_00A4E560
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 11_2_00A4E570	11_2_00A4E570
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F547A0	14_2_00F547A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F546B0	14_2_00F546B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F5D7A0	14_2_00F5D7A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C247A0	20_2_02C247A0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C23E58	20_2_02C23E58
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C280D1	20_2_02C280D1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C24790	20_2_02C24790
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C24710	20_2_02C24710
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02C24730	20_2_02C24730

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\wscript.exe

Section loaded: scrobj.dll

Jump to behavior

Uses 32bit PE files

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal96.troj.adwa.evad.winEXE@17/5@12/1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210412

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

File created: C:\Users\user\AppData\Local\Temp\310197.js

Jump to behavior

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Virustotal: Detection: 7%

Source: unknown	Process created: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdb source: Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source:	Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdbL source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

Data Obfuscation:

.NET source code contains potential unpacker

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.cb0000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.cb0000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.90000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.90000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.610000.1.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 14.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.610000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.330000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.330000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.8b0000.1.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.8b0000.0.unpack, FenetreAjouterModule.cs	.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'			Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 0_2_05623BB9 push eax; mov dword ptr [esp], edx	0_2_05623BCC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 11_2_00A4F930 pushad ; iretd	11_2_00A4F931
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00CBD95C push eax; ret	14_2_00CBD95D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00CBE32B push eax; ret	14_2_00CBE349
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F56A4F push edi; retf	14_2_00F56A5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F56B1F push ebx; retf	14_2_00F56B3A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F58EE1 push ebx; retf	14_2_00F58EEE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F516A1 push edx; retf	14_2_00F516AE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 14_2_00F59981 push ebx; retf	14_2_00F5998E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02BCE332 push eax; ret	20_2_02BCE349
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Code function: 20_2_02BCD95C push eax; ret	20_2_02BCD95D

Boot Survival:

Drops PE files to the startup folder

Source: C:\Windows\SysWOW64\wscript.exe

PE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains capabilities to detect virtual machines

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2389	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 606	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Window / User API: threadDelayed 2788	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Window / User API: threadDelayed 7055	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Window / User API: threadDelayed 413
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Window / User API: threadDelayed 9445

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\timeout.exe TID: 6112	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6764	Thread sleep count: 2389 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752	Thread sleep count: 606 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6520	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5764	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6828	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5176	Thread sleep time: -22136092888451448s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5180	Thread sleep count: 2788 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5180	Thread sleep count: 7055 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 2792	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5160	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6152	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6304	Thread sleep count: 413 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6304	Thread sleep count: 9445 > 30

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe:Zone.Identifier	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: powershell.exe, 00000006.00000002.765881001.0000000005926000.00000004.00000001.sdmp	Binary or memory string: Hyper-V
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx'_
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.656896998.00000000013C1000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: powershell.exe, 00000006.00000002.765881001.0000000005926000.00000004.00000001.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugFlags
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process queried: DebugObjectHandle

Enables debug privileges

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'			Jump to behavior

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743151064.000000000862E000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmp	Binary or memory string: \??\C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657349528.000000000320B000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732944742.00000000024DA000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792755020.00000000028AA000.00000004.00000001.sdmp	Binary or memory string: l.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657349528.000000000320B000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732944742.00000000024DA000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792755020.00000000028AA000.00000004.00000001.sdmp	Binary or memory string: l(C:\Program Files\AVG\Antivirus\AVGUI.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.734571526.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.795361955.00000000038FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.658331129.0000000004260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 7004, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 5568, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6756, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6064, type: MEMORY
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.3549198.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39177a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4278350.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.raw.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 5568, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6064, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.734571526.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.795361955.00000000038FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.658331129.0000000004260000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 7004, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 5568, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6972, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6756, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6064, type: MEMORY
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.3549198.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39177a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4278350.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.raw.unpack, type: UNPACKEDPE

ID:	385436
Product:	CloudBasic
Start time:	14:21:27
Start date:	12.04.2021
Sample:	Payment Confirmation WRT547879808054962 -copy- PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4fd9b2fe130283684b83a724e907f9cc
SHA1:	7b76fc786ae6827a016008d8f673f965382df74f
SHA256:	c42183aaf2368c13bddd363af982f2725e599581869f08f9041d6cd0c47cfe41
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Confirmation WRT547879808054962 -copy- PDF.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F5F1413CCD1DC090DD88239D4A39BAB5	14EF31F6555443DBA547B0DE806B3231B713A30B	FF8D5A5E7DC7307172BDDA03D536B45E6522B9F5D2F881017A42E2420A82C2DA
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdlw2aem.w5f.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qurmoeqb.f3b.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\Documents\20210412\PowerShell_transcript.688098.PfOYUrM6.20210412142231.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	8CBD1A6C02FC25E98075A9AA33023528	82C3BA2269D1DBE9FBD75E3223A7AEC5298BA082	6754F1A11062ECF59AD6035B40E55599EE625F2CF7EF2EB6616994E936709116

Analysis Report Payment Confirmation WRT547879808054962 -copy- PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe	Binary or memory string: OriginalFilename vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.661095318.0000000007560000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStub.dll4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.656203623.0000000000CB2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFNxsusAJjLIPezOwqKUayvBbEQkEFCEBpp.exe4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.661167379.00000000075A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe	Binary or memory string: OriginalFilename vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.730505160.0000000000092000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.741614194.0000000007850000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.741422130.0000000007810000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStub.dll4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFNxsusAJjLIPezOwqKUayvBbEQkEFCEBpp.exe4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe	Binary or memory string: OriginalFilename vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameFNxsusAJjLIPezOwqKUayvBbEQkEFCEBpp.exe4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.900473150.0000000000CCA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.899549497.0000000000612000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe	Binary or memory string: OriginalFilename vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFNxsusAJjLIPezOwqKUayvBbEQkEFCEBpp.exe4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.794860501.0000000003859000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStub.dll4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.787054463.00000000009C0000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000000.755832135.0000000000332000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800720178.0000000008640000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800193098.0000000008080000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe	Binary or memory string: OriginalFilename vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.899548180.00000000008B2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameFNxsusAJjLIPezOwqKUayvBbEQkEFCEBpp.exe4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe	Binary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe