Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Payment Confirmation WRT547879808054962 -copy- PDF.exe

Overview

General Information

Sample Name:Payment Confirmation WRT547879808054962 -copy- PDF.exe
Analysis ID:385436
MD5:4fd9b2fe130283684b83a724e907f9cc
SHA1:7b76fc786ae6827a016008d8f673f965382df74f
SHA256:c42183aaf2368c13bddd363af982f2725e599581869f08f9041d6cd0c47cfe41
Tags:agenttesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Payment Confirmation WRT547879808054962 -copy- PDF.exe (PID: 7004 cmdline: 'C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe' MD5: 4FD9B2FE130283684B83A724E907F9CC)
    • cmd.exe (PID: 6312 cmdline: cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 3152 cmdline: timeout 4 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • wscript.exe (PID: 3436 cmdline: 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • powershell.exe (PID: 6616 cmdline: powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "francisco.branco@raposolda.ptraposowebmail.raposolda.ptdexter.chan.arkema@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.3549198.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 12 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "francisco.branco@raposolda.ptraposowebmail.raposolda.ptdexter.chan.arkema@gmail.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeVirustotal: Detection: 7%Perma Link
                      Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdb source: Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdbL source: Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe:Zone.Identifier
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: unknownDNS traffic detected: queries for: onedrive.live.com
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://WOxurg.com
                      Source: powershell.exe, 00000006.00000003.744257338.000000000336E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743248027.0000000008642000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743248027.0000000008642000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743248027.0000000008642000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792637500.0000000002853000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.pngL
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.762327814.0000000005241000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlL
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/PesterL
                      Source: powershell.exe, 00000006.00000002.766180901.0000000005AC4000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732872905.0000000002471000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732784004.0000000002456000.00000004.00000001.sdmpString found in binary or memory: https://lniuzw.bn.files.1drv.com/y4m5XX6QkrwADm0BE9F-KSc8YnyeZDSlbhZLWTjlFVYy-veD8YYcFqN28-tktG1NL85
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657303347.000000000319A000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657314649.00000000031A2000.00000004.00000001.sdmpString found in binary or memory: https://lniuzw.bn.files.1drv.com/y4mMeZFRcepSUvfHHz78iFvE-ZuqZc3MQxw65cL9BgxxRG8uSqXuaPfM-QzJZ6boj4Z
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792439393.0000000002826000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792585458.0000000002841000.00000004.00000001.sdmpString found in binary or memory: https://lniuzw.bn.files.1drv.com/y4mXLu603m3jm6-ClIGtC1Az35xWdigz4o0siY8DGpOvlqCOwFnvAGFtLpqNdNR5rqj
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657349528.000000000320B000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657277111.0000000003186000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732784004.0000000002456000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732944742.00000000024DA000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792439393.0000000002826000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792755020.00000000028AA000.00000004.00000001.sdmpString found in binary or memory: https://lniuzw.bn.files.1drv.com/y4mfan37UkvAP8TzysQzz8DHHDcbHobX5nJ5uM87bEKvhvSbPaxkqGBpPPXuMtIgMOn
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657314649.00000000031A2000.00000004.00000001.sdmpString found in binary or memory: https://lniuzw.bn.files.1drv.com46k
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732872905.0000000002471000.00000004.00000001.sdmpString found in binary or memory: https://lniuzw.bn.files.1drv.com46kpMH
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792585458.0000000002841000.00000004.00000001.sdmpString found in binary or memory: https://lniuzw.bn.files.1drv.com46kxM
                      Source: powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=A263F254A0224137&resid=A263F254A0224137
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeString found in binary or memory: https://onedrive.live.com/download?cid=A263F254A0224137&resid=A263F254A0224137%211108&authkey=AC8o8n
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b81B2D53Du002d07BFu002d4013u002d87C3u002d349BBF8AECD5u007d/u00352C67D0Cu002d96D7u002d44C6u002d9D85u002dBC68EC5FA093.csLarge array initialization: .cctor: array initializer size 11967
                      Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b81B2D53Du002d07BFu002d4013u002d87C3u002d349BBF8AECD5u007d/u00352C67D0Cu002d96D7u002d44C6u002d9D85u002dBC68EC5FA093.csLarge array initialization: .cctor: array initializer size 11967
                      Executable has a suspicious name (potential lure to open the executable)Show sources
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeStatic file information: Suspicious name
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 11_2_00A4C124
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 11_2_00A4E560
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 11_2_00A4E570
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 14_2_00F547A0
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 14_2_00F546B0
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 14_2_00F5D7A0
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 20_2_02C247A0
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 20_2_02C23E58
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 20_2_02C280D1
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 20_2_02C24790
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 20_2_02C24710
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 20_2_02C24730
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeBinary or memory string: OriginalFilename vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.661095318.0000000007560000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.dll4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.656203623.0000000000CB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFNxsusAJjLIPezOwqKUayvBbEQkEFCEBpp.exe4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.661167379.00000000075A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeBinary or memory string: OriginalFilename vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.730505160.0000000000092000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.741614194.0000000007850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.741422130.0000000007810000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.dll4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFNxsusAJjLIPezOwqKUayvBbEQkEFCEBpp.exe4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeBinary or memory string: OriginalFilename vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameFNxsusAJjLIPezOwqKUayvBbEQkEFCEBpp.exe4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.900473150.0000000000CCA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.899549497.0000000000612000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeBinary or memory string: OriginalFilename vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFNxsusAJjLIPezOwqKUayvBbEQkEFCEBpp.exe4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.794860501.0000000003859000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub.dll4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.787054463.00000000009C0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000000.755832135.0000000000332000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800720178.0000000008640000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800193098.0000000008080000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeBinary or memory string: OriginalFilename vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.899548180.00000000008B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameFNxsusAJjLIPezOwqKUayvBbEQkEFCEBpp.exe4 vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeBinary or memory string: OriginalFilenameZandi.exe, vs Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal96.troj.adwa.evad.winEXE@17/5@12/1
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210412Jump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile created: C:\Users\user\AppData\Local\Temp\310197.jsJump to behavior
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeVirustotal: Detection: 7%
                      Source: unknownProcess created: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdb source: Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\NewProjects\FormaDai\obj\Debug\Zandi.pdbL source: Payment Confirmation WRT547879808054962 -copy- PDF.exe

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.cb0000.0.unpack, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.cb0000.0.unpack, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 11.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.90000.0.unpack, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.90000.0.unpack, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.610000.1.unpack, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 14.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.610000.0.unpack, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.330000.0.unpack, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 18.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.330000.0.unpack, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.8b0000.1.unpack, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 20.0.Payment Confirmation WRT547879808054962 -copy- PDF.exe.8b0000.0.unpack, FenetreAjouterModule.cs.Net Code: jkawhd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Suspicious powershell command line foundShow sources
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 0_2_05623BB9 push eax; mov dword ptr [esp], edx
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 11_2_00A4F930 pushad ; iretd
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 14_2_00CBD95C push eax; ret
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 14_2_00CBE32B push eax; ret
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 14_2_00F56A4F push edi; retf
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 14_2_00F56B1F push ebx; retf
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 14_2_00F58EE1 push ebx; retf
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 14_2_00F516A1 push edx; retf
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 14_2_00F59981 push ebx; retf
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 20_2_02BCE332 push eax; ret
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeCode function: 20_2_02BCD95C push eax; ret

                      Boot Survival:

                      barindex
                      Drops PE files to the startup folderShow sources
                      Source: C:\Windows\SysWOW64\wscript.exePE file moved: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeJump to behavior
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2389
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 606
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWindow / User API: threadDelayed 2788
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWindow / User API: threadDelayed 7055
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWindow / User API: threadDelayed 413
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWindow / User API: threadDelayed 9445
                      Source: C:\Windows\SysWOW64\timeout.exe TID: 6112Thread sleep count: 33 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6764Thread sleep count: 2389 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6752Thread sleep count: 606 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6520Thread sleep count: 50 > 30
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6024Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5764Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6828Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5176Thread sleep time: -22136092888451448s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5180Thread sleep count: 2788 > 30
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5180Thread sleep count: 7055 > 30
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 2792Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 5160Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6152Thread sleep time: -13835058055282155s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6304Thread sleep count: 413 > 30
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe TID: 6304Thread sleep count: 9445 > 30
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe:Zone.Identifier
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
                      Source: powershell.exe, 00000006.00000002.765881001.0000000005926000.00000004.00000001.sdmpBinary or memory string: Hyper-V
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx'_
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.656896998.00000000013C1000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.670903205.0000000008E70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.742086872.0000000007C70000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.799589540.0000000006730000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: powershell.exe, 00000006.00000002.765881001.0000000005926000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess queried: DebugFlags
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess queried: DebugFlags
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess queried: DebugFlags
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess queried: DebugObjectHandle
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeMemory allocated: page read and write | page guard
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901119137.0000000001310000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.900989066.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.743151064.000000000862E000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.800068614.0000000007E80000.00000004.00000001.sdmpBinary or memory string: \??\C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.671110007.00000000091E0000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657349528.000000000320B000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732944742.00000000024DA000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792755020.00000000028AA000.00000004.00000001.sdmpBinary or memory string: l.C:\Program Files (x86)\AVG\Antivirus\AVGUI.exe
                      Source: Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657349528.000000000320B000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732944742.00000000024DA000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792755020.00000000028AA000.00000004.00000001.sdmpBinary or memory string: l(C:\Program Files\AVG\Antivirus\AVGUI.exe
                      Source: C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.734571526.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.795361955.00000000038FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.658331129.0000000004260000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 7004, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 5568, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6972, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6756, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6064, type: MEMORY
                      Source: Yara matchFile source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.3549198.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39177a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4278350.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 5568, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6064, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.734571526.00000000035A9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.795361955.00000000038FF000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.658331129.0000000004260000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 7004, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 5568, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6972, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6756, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6064, type: MEMORY
                      Source: Yara matchFile source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.3549198.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35a91d8.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4298370.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.42d8390.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39177a0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.4278350.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.35691b8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39377c0.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.39777e0.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation221Registry Run Keys / Startup Folder1Process Injection12Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter1DLL Side-Loading1Registry Run Keys / Startup Folder1Disable or Modify Tools1LSASS MemorySecurity Software Discovery151Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsScripting1Logon Script (Windows)DLL Side-Loading1Virtualization/Sandbox Evasion151Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSVirtualization/Sandbox Evasion151Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonScripting1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing11Proc FilesystemSystem Information Discovery113Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 385436 Sample: Payment Confirmation WRT547... Startdate: 12/04/2021 Architecture: WINDOWS Score: 96 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected AgentTesla 2->58 60 6 other signatures 2->60 9 Payment Confirmation WRT547879808054962 -copy- PDF.exe 15 3 2->9         started        12 Payment Confirmation WRT547879808054962 -copy- PDF.exe 3 2->12         started        process3 dnsIp4 36 192.168.2.1 unknown unknown 9->36 38 onedrive.live.com 9->38 46 2 other IPs or domains 9->46 15 cmd.exe 1 9->15         started        40 onedrive.live.com 12->40 42 lniuzw.bn.files.1drv.com 12->42 44 bn-files.fe.1drv.com 12->44 34 Payment Confirmati... -copy- PDF.exe.log, ASCII 12->34 dropped 18 Payment Confirmation WRT547879808054962 -copy- PDF.exe 2 12->18         started        file5 process6 signatures7 64 Suspicious powershell command line found 15->64 20 wscript.exe 15->20         started        23 powershell.exe 18 15->23         started        25 conhost.exe 15->25         started        27 timeout.exe 1 15->27         started        process8 signatures9 62 Drops PE files to the startup folder 20->62 29 Payment Confirmation WRT547879808054962 -copy- PDF.exe 23->29         started        process10 dnsIp11 48 onedrive.live.com 29->48 50 lniuzw.bn.files.1drv.com 29->50 52 bn-files.fe.1drv.com 29->52 32 Payment Confirmation WRT547879808054962 -copy- PDF.exe 29->32         started        process12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Payment Confirmation WRT547879808054962 -copy- PDF.exe7%VirustotalBrowse
                      Payment Confirmation WRT547879808054962 -copy- PDF.exe2%ReversingLabsByteCode-MSIL.Trojan.Injuke

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      20.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      14.2.Payment Confirmation WRT547879808054962 -copy- PDF.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://lniuzw.bn.files.1drv.com46kxM0%Avira URL Cloudsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://WOxurg.com0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://lniuzw.bn.files.1drv.com46kpMH0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://go.micro0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://lniuzw.bn.files.1drv.com46k0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.pngL0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      onedrive.live.com
                      		unknown
                      		unknownfalse
                        		high
                        lniuzw.bn.files.1drv.com
                        		unknown
                        		unknownfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://127.0.0.1:HTTP/1.1Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.com/designersGPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                              		high
                              https://onedrive.live.com/download?cid=A263F254A0224137&resid=A263F254A0224137%211108&authkey=AC8o8nPayment Confirmation WRT547879808054962 -copy- PDF.exefalse
                                		high
                                http://www.founder.com.cn/cn/bThePayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://lniuzw.bn.files.1drv.com46kxMPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792585458.0000000002841000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/Pester/PesterLpowershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers?Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://WOxurg.comPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/cThePayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleasePayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fonts.comPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleasePayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.762327814.0000000005241000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sakkal.comPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://lniuzw.bn.files.1drv.com46kpMHPayment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732872905.0000000002471000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://DynDns.comDynDNSPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://onedrive.live.comPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://lniuzw.bn.files.1drv.com/y4mXLu603m3jm6-ClIGtC1Az35xWdigz4o0siY8DGpOvlqCOwFnvAGFtLpqNdNR5rqjPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792439393.0000000002826000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792585458.0000000002841000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPayment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://go.micropowershell.exe, 00000006.00000002.766180901.0000000005AC4000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://lniuzw.bn.files.1drv.com/y4m5XX6QkrwADm0BE9F-KSc8YnyeZDSlbhZLWTjlFVYy-veD8YYcFqN28-tktG1NL85Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732872905.0000000002471000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732784004.0000000002456000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://contoso.com/Iconpowershell.exe, 00000006.00000002.766581176.00000000062A4000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://onedrive.live.com/download?cid=A263F254A0224137&resid=A263F254A0224137Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657236916.0000000003151000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732726445.0000000002421000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792255406.00000000027F1000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://lniuzw.bn.files.1drv.com46kPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657314649.00000000031A2000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://github.com/Pester/Pesterpowershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.carterandcone.comlPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cnPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/frere-user.htmlPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://pesterbdd.com/images/Pester.pngLpowershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://lniuzw.bn.files.1drv.com/y4mfan37UkvAP8TzysQzz8DHHDcbHobX5nJ5uM87bEKvhvSbPaxkqGBpPPXuMtIgMOnPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657349528.000000000320B000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657277111.0000000003186000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732784004.0000000002456000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.732944742.00000000024DA000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792439393.0000000002826000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.792755020.00000000028AA000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.jiyu-kobo.co.jp/Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://lniuzw.bn.files.1drv.com/y4mMeZFRcepSUvfHHz78iFvE-ZuqZc3MQxw65cL9BgxxRG8uSqXuaPfM-QzJZ6boj4ZPayment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657303347.000000000319A000.00000004.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.657314649.00000000031A2000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers8Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000000.00000002.660012387.0000000006160000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 0000000B.00000002.738975716.0000000005380000.00000002.00000001.sdmp, Payment Confirmation WRT547879808054962 -copy- PDF.exe, 00000012.00000002.797577914.0000000005630000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlLpowershell.exe, 00000006.00000002.762740880.0000000005383000.00000004.00000001.sdmpfalse
                                                                          		high

                                                                          Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public

                                                                          IPDomainCountryFlagASNASN NameMalicious

                                                                          Private

                                                                          IP
                                                                          192.168.2.1

                                                                          General Information

                                                                          Joe Sandbox Version:31.0.0 Emerald
                                                                          Analysis ID:385436
                                                                          Start date:12.04.2021
                                                                          Start time:14:21:27
                                                                          Joe Sandbox Product:CloudBasic
                                                                          Overall analysis duration:0h 12m 12s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:light
                                                                          Sample file name:Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                          Number of analysed new started processes analysed:24
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • HDC enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Detection:MAL
                                                                          Classification:mal96.troj.adwa.evad.winEXE@17/5@12/1
                                                                          EGA Information:Failed
                                                                          HDC Information:Failed
                                                                          HCA Information:
                                                                          • Successful, ratio: 100%
                                                                          • Number of executed functions: 0
                                                                          • Number of non-executed functions: 0
                                                                          Cookbook Comments:
                                                                          • Adjust boot time
                                                                          • Enable AMSI
                                                                          • Found application associated with file extension: .exe
                                                                          Warnings:
                                                                          Show All
                                                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                          • Excluded IPs from analysis (whitelisted): 13.107.3.254, 13.107.246.254, 40.88.32.150, 13.107.42.13, 13.107.43.13, 13.107.43.12, 13.107.42.12, 20.82.210.154, 104.42.151.234, 92.122.213.194, 92.122.213.247, 13.88.21.125, 104.43.139.144, 52.155.217.156, 20.54.26.129, 168.61.161.212, 20.50.102.62
                                                                          • Excluded domains from analysis (whitelisted): odc-bn-files.onedrive.akadns.net.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-web-brs.onedrive.akadns.net, arc.msn.com.nsatc.net, s-ring.msedge.net, a1449.dscg2.akamai.net, arc.msn.com, l-0004.dc-msedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, odc-bn-files-geo.onedrive.akadns.net, l-0004.l-msedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, odc-bn-files-brs.onedrive.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, l-0003.dc-msedge.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          14:22:17API Interceptor733x Sleep call for process: Payment Confirmation WRT547879808054962 -copy- PDF.exe modified
                                                                          14:22:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          14:22:53API Interceptor23x Sleep call for process: powershell.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          No context

                                                                          Domains

                                                                          No context

                                                                          ASN

                                                                          No context

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Confirmation WRT547879808054962 -copy- PDF.exe.log
                                                                          Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1216
                                                                          Entropy (8bit):5.355304211458859
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):17500
                                                                          Entropy (8bit):5.278168442568793
                                                                          Encrypted:false
                                                                          SSDEEP:384:Qt9/UPInSQLQTQbLU0K3I1JNHGnudTNkQsF:VIQQbLU0bXhGudo
                                                                          MD5:F5F1413CCD1DC090DD88239D4A39BAB5
                                                                          SHA1:14EF31F6555443DBA547B0DE806B3231B713A30B
                                                                          SHA-256:FF8D5A5E7DC7307172BDDA03D536B45E6522B9F5D2F881017A42E2420A82C2DA
                                                                          SHA-512:229A735B581F1858A29AFC614901E535FB1925EB3A6673FC095B575F6C03588B911C8AF27533904AC14EA1DE12DAA40EBDA3C9DF67C05489D8877B77D832EB99
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview: @...e.......................P.=.......~.:............@..........D...............fZve...F.....x.)a.......System.Management.AutomationH...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHost4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jdlw2aem.w5f.psm1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 1
                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qurmoeqb.f3b.ps1
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:very short file (no magic)
                                                                          Category:dropped
                                                                          Size (bytes):1
                                                                          Entropy (8bit):0.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:U:U
                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                          Malicious:false
                                                                          Reputation:high, very likely benign file
                                                                          Preview: 1
                                                                          C:\Users\user\Documents\20210412\PowerShell_transcript.688098.PfOYUrM6.20210412142231.txt
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1257
                                                                          Entropy (8bit):5.228057303399328
                                                                          Encrypted:false
                                                                          SSDEEP:24:BxSA57vBZ1Zx2DOXdBmmuVMyx0WBHjeTKKjX4CIym1ZJXLBmmuVMyxWmnxSAZc:BZVvj/oONFubBqDYB1ZFFu6oZZc
                                                                          MD5:8CBD1A6C02FC25E98075A9AA33023528
                                                                          SHA1:82C3BA2269D1DBE9FBD75E3223A7AEC5298BA082
                                                                          SHA-256:6754F1A11062ECF59AD6035B40E55599EE625F2CF7EF2EB6616994E936709116
                                                                          SHA-512:BDF621458CC87A23270AE408D68B6E84E162167C77D4F3C97AD13BECB63A05F7A4B2EC9A5E022373E0827EEAB1DC4BA1DC37E5FE2E7249D3B5AF917218BC1E28
                                                                          Malicious:false
                                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20210412142246..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 688098 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'..Process ID: 6616..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210412142247..**********************..PS>Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confi

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):4.957838652068988
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                          File name:Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          File size:50688
                                                                          MD5:4fd9b2fe130283684b83a724e907f9cc
                                                                          SHA1:7b76fc786ae6827a016008d8f673f965382df74f
                                                                          SHA256:c42183aaf2368c13bddd363af982f2725e599581869f08f9041d6cd0c47cfe41
                                                                          SHA512:1fc302fc8b19f30b5ac118be018938c9724fc0405b1d7eea56a3b773d544528d29615fc43e172153e948b1b01b6160bd2a9ad92bb8ce2d148913345011b45946
                                                                          SSDEEP:768:967uC4xLTVJ/9kayxYuvqjCoe9aNz08WNc2:ayLPLuCj2cNz0vJ
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.e`..............0.............v.... ........@.. ....................... ............@................................

                                                                          File Icon

                                                                          Icon Hash:00828e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x40da76
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x6065C628 [Thu Apr 1 13:10:00 2021 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v4.0.30319
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xda240x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x540.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xd8ec0x1c.text
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000xba7c0xbc00False0.311689660904data5.0246251873IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0xe0000x5400x600False0.39453125data3.87421246893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x100000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_VERSION0xe0900x2b0data
                                                                          RT_MANIFEST0xe3500x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyright
                                                                          Assembly Version0.0.0.0
                                                                          InternalNameZandi.exe
                                                                          FileVersion0.0.0.0
                                                                          CompanyName
                                                                          Comments
                                                                          ProductNameZandi
                                                                          ProductVersion0.0.0.0
                                                                          FileDescriptionZandi
                                                                          OriginalFilenameZandi.exe

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Apr 12, 2021 14:22:01.802047014 CEST53530978.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:01.976550102 CEST4925753192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:02.025477886 CEST53492578.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:03.085555077 CEST6238953192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:03.134634018 CEST53623898.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:04.036870956 CEST4991053192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:04.089728117 CEST53499108.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:15.124603033 CEST5585453192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:15.176505089 CEST53558548.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:15.191438913 CEST6454953192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:15.252652884 CEST53645498.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:15.811966896 CEST6315353192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:15.952936888 CEST53631538.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:15.964736938 CEST5299153192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:16.099365950 CEST53529918.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:33.239751101 CEST5370053192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:33.302366018 CEST53537008.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:37.047015905 CEST5172653192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:37.100610971 CEST53517268.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:38.358124018 CEST5679453192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:38.417256117 CEST53567948.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:40.778233051 CEST5653453192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:40.831481934 CEST53565348.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:42.231142044 CEST5662753192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:42.285109997 CEST53566278.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:45.063591957 CEST5662153192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:45.112826109 CEST53566218.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:46.478192091 CEST6311653192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:46.570987940 CEST53631168.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:46.596683979 CEST6407853192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:46.661503077 CEST53640788.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:47.501341105 CEST6480153192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:47.576450109 CEST53648018.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:47.598403931 CEST6172153192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:47.737687111 CEST53617218.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:56.550940990 CEST5125553192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:56.602713108 CEST53512558.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:57.217248917 CEST6152253192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:57.501565933 CEST53615228.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:57.831146002 CEST5233753192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:57.882616043 CEST53523378.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:58.302270889 CEST5504653192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:58.453994036 CEST53550468.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:58.731311083 CEST4961253192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:58.789798975 CEST53496128.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:59.059166908 CEST4928553192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:59.231391907 CEST53492858.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:22:59.778220892 CEST5060153192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:22:59.840100050 CEST53506018.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:00.689821959 CEST6087553192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:00.750257969 CEST53608758.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:02.180051088 CEST5644853192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:02.342681885 CEST53564488.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:03.767469883 CEST5917253192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:03.824595928 CEST53591728.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:04.870042086 CEST6242053192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:04.927144051 CEST53624208.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:06.078257084 CEST6057953192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:06.135668993 CEST53605798.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:07.270997047 CEST5018353192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:07.333539963 CEST53501838.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:10.252119064 CEST6153153192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:10.300569057 CEST53615318.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:10.355849028 CEST4922853192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:10.413444042 CEST53492288.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:11.144407034 CEST5979453192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:11.202083111 CEST53597948.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:11.211198092 CEST5591653192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:11.273487091 CEST53559168.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:13.633805037 CEST5275253192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:13.692388058 CEST53527528.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:22.148554087 CEST6054253192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:22.202380896 CEST53605428.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:23.078506947 CEST6068953192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:23.130515099 CEST53606898.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:24.128814936 CEST6420653192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:24.180645943 CEST53642068.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:25.317631960 CEST5090453192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:25.376395941 CEST53509048.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:41.039392948 CEST5752553192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:41.090745926 CEST53575258.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:42.727632999 CEST5381453192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:42.777848005 CEST53538148.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:47.441457033 CEST5341853192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:47.490138054 CEST53534188.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:47.678069115 CEST6283353192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:47.726665974 CEST53628338.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:49.166157007 CEST5926053192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:49.232930899 CEST53592608.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:56.312482119 CEST4994453192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:56.364100933 CEST53499448.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:23:59.689462900 CEST6330053192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:23:59.740407944 CEST53633008.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:24:00.599550962 CEST6144953192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:24:00.651227951 CEST53614498.8.8.8192.168.2.4
                                                                          Apr 12, 2021 14:24:01.490228891 CEST5127553192.168.2.48.8.8.8
                                                                          Apr 12, 2021 14:24:01.541055918 CEST53512758.8.8.8192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Apr 12, 2021 14:22:15.124603033 CEST192.168.2.48.8.8.80xfb05Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:22:15.191438913 CEST192.168.2.48.8.8.80xcdecStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:22:15.811966896 CEST192.168.2.48.8.8.80xdf6eStandard query (0)lniuzw.bn.files.1drv.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:22:15.964736938 CEST192.168.2.48.8.8.80xc5c0Standard query (0)lniuzw.bn.files.1drv.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:22:46.478192091 CEST192.168.2.48.8.8.80xebcdStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:22:46.596683979 CEST192.168.2.48.8.8.80xd6f0Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:22:47.501341105 CEST192.168.2.48.8.8.80x93aStandard query (0)lniuzw.bn.files.1drv.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:22:47.598403931 CEST192.168.2.48.8.8.80x1eeaStandard query (0)lniuzw.bn.files.1drv.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:23:10.252119064 CEST192.168.2.48.8.8.80x181eStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:23:10.355849028 CEST192.168.2.48.8.8.80x8266Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:23:11.144407034 CEST192.168.2.48.8.8.80x751cStandard query (0)lniuzw.bn.files.1drv.comA (IP address)IN (0x0001)
                                                                          Apr 12, 2021 14:23:11.211198092 CEST192.168.2.48.8.8.80x1160Standard query (0)lniuzw.bn.files.1drv.comA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Apr 12, 2021 14:22:15.176505089 CEST8.8.8.8192.168.2.40xfb05No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:15.252652884 CEST8.8.8.8192.168.2.40xcdecNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:15.952936888 CEST8.8.8.8192.168.2.40xdf6eNo error (0)lniuzw.bn.files.1drv.combn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:15.952936888 CEST8.8.8.8192.168.2.40xdf6eNo error (0)bn-files.fe.1drv.comodc-bn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:16.099365950 CEST8.8.8.8192.168.2.40xc5c0No error (0)lniuzw.bn.files.1drv.combn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:16.099365950 CEST8.8.8.8192.168.2.40xc5c0No error (0)bn-files.fe.1drv.comodc-bn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:46.570987940 CEST8.8.8.8192.168.2.40xebcdNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:46.661503077 CEST8.8.8.8192.168.2.40xd6f0No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:47.576450109 CEST8.8.8.8192.168.2.40x93aNo error (0)lniuzw.bn.files.1drv.combn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:47.576450109 CEST8.8.8.8192.168.2.40x93aNo error (0)bn-files.fe.1drv.comodc-bn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:47.737687111 CEST8.8.8.8192.168.2.40x1eeaNo error (0)lniuzw.bn.files.1drv.combn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:22:47.737687111 CEST8.8.8.8192.168.2.40x1eeaNo error (0)bn-files.fe.1drv.comodc-bn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:23:10.300569057 CEST8.8.8.8192.168.2.40x181eNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:23:10.413444042 CEST8.8.8.8192.168.2.40x8266No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:23:11.202083111 CEST8.8.8.8192.168.2.40x751cNo error (0)lniuzw.bn.files.1drv.combn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:23:11.202083111 CEST8.8.8.8192.168.2.40x751cNo error (0)bn-files.fe.1drv.comodc-bn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:23:11.273487091 CEST8.8.8.8192.168.2.40x1160No error (0)lniuzw.bn.files.1drv.combn-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                          Apr 12, 2021 14:23:11.273487091 CEST8.8.8.8192.168.2.40x1160No error (0)bn-files.fe.1drv.comodc-bn-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 7004 Parent PID: 6052

                                                                          General

                                                                          Start time:14:22:08
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                                                                          Imagebase:0xcb0000
                                                                          File size:50688 bytes
                                                                          MD5 hash:4FD9B2FE130283684B83A724E907F9CC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.658411301.00000000042D8000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.658331129.0000000004260000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: cmd.exe PID: 6312 Parent PID: 7004

                                                                          General

                                                                          Start time:14:22:19
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:cmd.exe /c timeout 4 & 'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js' && powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                                                                          Imagebase:0x11d0000
                                                                          File size:232960 bytes
                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 6428 Parent PID: 6312

                                                                          General

                                                                          Start time:14:22:19
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff724c50000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: timeout.exe PID: 3152 Parent PID: 6312

                                                                          General

                                                                          Start time:14:22:20
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:timeout 4
                                                                          Imagebase:0xe50000
                                                                          File size:26112 bytes
                                                                          MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: wscript.exe PID: 3436 Parent PID: 6312

                                                                          General

                                                                          Start time:14:22:27
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\wscript.exe' 'C:\Users\user\AppData\Local\Temp\\310197.js'
                                                                          Imagebase:0xaf0000
                                                                          File size:147456 bytes
                                                                          MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: powershell.exe PID: 6616 Parent PID: 6312

                                                                          General

                                                                          Start time:14:22:29
                                                                          Start date:12/04/2021
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:powershell -command Start-Sleep -s 4; Start-Process -WindowStyle hidden -FilePath 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                                                                          Imagebase:0xf30000
                                                                          File size:430592 bytes
                                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Reputation:high

                                                                          Analysis Process: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6972 Parent PID: 3424

                                                                          General

                                                                          Start time:14:22:40
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                                                                          Imagebase:0x90000
                                                                          File size:50688 bytes
                                                                          MD5 hash:4FD9B2FE130283684B83A724E907F9CC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.734498913.0000000003531000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.734571526.00000000035A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6064 Parent PID: 6972

                                                                          General

                                                                          Start time:14:22:53
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          Imagebase:0x610000
                                                                          File size:50688 bytes
                                                                          MD5 hash:4FD9B2FE130283684B83A724E907F9CC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.899443671.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.901604187.0000000002981000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 6756 Parent PID: 6616

                                                                          General

                                                                          Start time:14:23:05
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe'
                                                                          Imagebase:0x330000
                                                                          File size:50688 bytes
                                                                          MD5 hash:4FD9B2FE130283684B83A724E907F9CC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.795783950.0000000003977000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.795361955.00000000038FF000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: Payment Confirmation WRT547879808054962 -copy- PDF.exe PID: 5568 Parent PID: 6756

                                                                          General

                                                                          Start time:14:23:18
                                                                          Start date:12/04/2021
                                                                          Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payment Confirmation WRT547879808054962 -copy- PDF.exe
                                                                          Imagebase:0x8b0000
                                                                          File size:50688 bytes
                                                                          MD5 hash:4FD9B2FE130283684B83A724E907F9CC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.901766585.0000000002DF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000014.00000002.899443040.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >