Loading ...

Play interactive tourEdit tour

Windows Analysis Report balance payment.exe

Overview

General Information

Sample Name:balance payment.exe
Analysis ID:528509
MD5:8749faaa0cd99cc1c11849ac401736e2
SHA1:aa20d9562fba4be847abaa8d3fb3c5335dd9ecf4
SHA256:f7e55c2a4643804d04c3be2a535f480bd1afdbb3d627769dddffe96b93546b0a
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • balance payment.exe (PID: 2316 cmdline: "C:\Users\user\Desktop\balance payment.exe" MD5: 8749FAAA0CD99CC1C11849AC401736E2)
    • schtasks.exe (PID: 3132 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mbYOWdeph" /XML "C:\Users\user\AppData\Local\Temp\tmp6392.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • tKZVPq.exe (PID: 1244 cmdline: "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe" MD5: 8749FAAA0CD99CC1C11849AC401736E2)
    • schtasks.exe (PID: 5048 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mbYOWdeph" /XML "C:\Users\user\AppData\Local\Temp\tmp5CD.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • tKZVPq.exe (PID: 7112 cmdline: {path} MD5: 8749FAAA0CD99CC1C11849AC401736E2)
    • tKZVPq.exe (PID: 5572 cmdline: {path} MD5: 8749FAAA0CD99CC1C11849AC401736E2)
  • tKZVPq.exe (PID: 3016 cmdline: "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe" MD5: 8749FAAA0CD99CC1C11849AC401736E2)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "admin@nktech.com.sg", "Password": "Nktech@64", "Host": "mail.nktech.com.sg"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.406918222.0000000004079000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000002.406918222.0000000004079000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000016.00000000.397724944.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000016.00000000.397724944.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000016.00000000.399409697.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 38 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            22.0.tKZVPq.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              22.0.tKZVPq.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.balance payment.exe.373a2d8.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.balance payment.exe.373a2d8.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    10.0.balance payment.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 37 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicius Add Task From User AppData TempShow sources
                      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mbYOWdeph" /XML "C:\Users\user\AppData\Local\Temp\tmp6392.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mbYOWdeph" /XML "C:\Users\user\AppData\Local\Temp\tmp6392.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\balance payment.exe" , ParentImage: C:\Users\user\Desktop\balance payment.exe, ParentProcessId: 2316, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mbYOWdeph" /XML "C:\Users\user\AppData\Local\Temp\tmp6392.tmp, ProcessId: 3132

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 22.0.tKZVPq.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "admin@nktech.com.sg", "Password": "Nktech@64", "Host": "mail.nktech.com.sg"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: balance payment.exeVirustotal: Detection: 44%Perma Link
                      Source: balance payment.exeReversingLabs: Detection: 35%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\mbYOWdeph.exeReversingLabs: Detection: 40%
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeReversingLabs: Detection: 40%
                      Machine Learning detection for sampleShow sources
                      Source: balance payment.exeJoe Sandbox ML: detected
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\mbYOWdeph.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJoe Sandbox ML: detected
                      Source: 22.0.tKZVPq.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 10.0.balance payment.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 10.0.balance payment.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 22.2.tKZVPq.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 10.0.balance payment.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 22.0.tKZVPq.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 22.0.tKZVPq.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 10.0.balance payment.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 22.0.tKZVPq.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 22.0.tKZVPq.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 10.0.balance payment.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 10.2.balance payment.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: balance payment.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: balance payment.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49782 -> 103.52.59.77:587
                      Source: global trafficTCP traffic: 192.168.2.3:49782 -> 103.52.59.77:587
                      Source: global trafficTCP traffic: 192.168.2.3:49782 -> 103.52.59.77:587
                      Source: balance payment.exe, 0000000A.00000002.553285330.0000000002F21000.00000004.00000001.sdmp, tKZVPq.exe, 00000016.00000002.551451589.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: balance payment.exe, 0000000A.00000002.553285330.0000000002F21000.00000004.00000001.sdmp, balance payment.exe, 0000000A.00000002.553942075.0000000003280000.00000004.00000001.sdmpString found in binary or memory: http://904oyGsO0QBTV.com
                      Source: balance payment.exe, 0000000A.00000003.502422973.00000000010C4000.00000004.00000001.sdmpString found in binary or memory: http://904oyGsO0QBTV.com1-5-21-3853321935-2125563209-4053062332-1002_Classes
                      Source: tKZVPq.exe, 00000016.00000002.551451589.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: balance payment.exe, 00000000.00000003.274808284.0000000000A3D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: balance payment.exe, 0000000A.00000002.553967344.0000000003288000.00000004.00000001.sdmpString found in binary or memory: http://mail.nktech.com.sg
                      Source: tKZVPq.exe, 00000016.00000002.551451589.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: http://nOoUXb.com
                      Source: balance payment.exe, 00000000.00000002.301871574.00000000025A1000.00000004.00000001.sdmp, tKZVPq.exe, 0000000E.00000002.404130622.0000000003071000.00000004.00000001.sdmp, tKZVPq.exe, 00000014.00000002.407021911.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: balance payment.exe, 00000000.00000002.307108969.00000000067D2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: balance payment.exe, 00000000.00000002.305613107.00000000037F1000.00000004.00000001.sdmp, balance payment.exe, 00000000.00000002.303631045.00000000035A9000.00000004.00000001.sdmp, balance payment.exe, 0000000A.00000000.298455303.0000000000402000.00000040.00000001.sdmp, balance payment.exe, 0000000A.00000000.298033202.0000000000402000.00000040.00000001.sdmp, tKZVPq.exe, 0000000E.00000002.406918222.0000000004079000.00000004.00000001.sdmp, tKZVPq.exe, 00000014.00000002.409260613.00000000036E9000.00000004.00000001.sdmp, tKZVPq.exe, 00000016.00000000.397724944.0000000000402000.00000040.00000001.sdmp, tKZVPq.exe, 00000016.00000000.399409697.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: balance payment.exe, 0000000A.00000002.553285330.0000000002F21000.00000004.00000001.sdmp, tKZVPq.exe, 00000016.00000002.551451589.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.nktech.com.sg
                      Source: tKZVPq.exe, 0000000E.00000002.403469099.0000000001508000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\balance payment.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: balance payment.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 10.0.balance payment.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bFFCCEB16u002dC146u002d4638u002dAFFDu002dA3A2A664C57Cu007d/u0030A861B06u002d4442u002d4849u002d8430u002d5ED0D442697D.csLarge array initialization: .cctor: array initializer size 11929
                      Source: 10.0.balance payment.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bFFCCEB16u002dC146u002d4638u002dAFFDu002dA3A2A664C57Cu007d/u0030A861B06u002d4442u002d4849u002d8430u002d5ED0D442697D.csLarge array initialization: .cctor: array initializer size 11929
                      Source: 10.0.balance payment.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bFFCCEB16u002dC146u002d4638u002dAFFDu002dA3A2A664C57Cu007d/u0030A861B06u002d4442u002d4849u002d8430u002d5ED0D442697D.csLarge array initialization: .cctor: array initializer size 11929
                      Source: 10.0.balance payment.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bFFCCEB16u002dC146u002d4638u002dAFFDu002dA3A2A664C57Cu007d/u0030A861B06u002d4442u002d4849u002d8430u002d5ED0D442697D.csLarge array initialization: .cctor: array initializer size 11929
                      Source: 10.0.balance payment.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bFFCCEB16u002dC146u002d4638u002dAFFDu002dA3A2A664C57Cu007d/u0030A861B06u002d4442u002d4849u002d8430u002d5ED0D442697D.csLarge array initialization: .cctor: array initializer size 11929
                      Source: balance payment.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_0257D7BC0_2_0257D7BC
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_0257FC710_2_0257FC71
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_0257E2100_2_0257E210
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_0257E2200_2_0257E220
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_0257FC910_2_0257FC91
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_0257BD540_2_0257BD54
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_04B94CC00_2_04B94CC0
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_04B9F4900_2_04B9F490
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_04B94CB20_2_04B94CB2
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_04B94C520_2_04B94C52
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F3A6680_2_06F3A668
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F35A380_2_06F35A38
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F323880_2_06F32388
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F318F80_2_06F318F8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F310900_2_06F31090
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F3A1D80_2_06F3A1D8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F3D1C00_2_06F3D1C0
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F355F80_2_06F355F8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F355E80_2_06F355E8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F365B80_2_06F365B8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F34DA00_2_06F34DA0
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F365AB0_2_06F365AB
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F3D5900_2_06F3D590
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F34D900_2_06F34D90
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F365350_2_06F36535
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F3E2900_2_06F3E290
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F392800_2_06F39280
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F392620_2_06F39262
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F35A280_2_06F35A28
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F353D80_2_06F353D8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F353C80_2_06F353C8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F323790_2_06F32379
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F313380_2_06F31338
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F313280_2_06F31328
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F398F00_2_06F398F0
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F318E80_2_06F318E8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F310800_2_06F31080
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F388800_2_06F38880
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F358700_2_06F35870
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F358610_2_06F35861
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F300400_2_06F30040
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F300060_2_06F30006
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F3D9F80_2_06F3D9F8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F341C80_2_06F341C8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F341B80_2_06F341B8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_06F341810_2_06F34181
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_0CDD00400_2_0CDD0040
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 0_2_0CDD00070_2_0CDD0007
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_0114591010_2_01145910
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_01141D7010_2_01141D70
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_01148E3810_2_01148E38
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_01147CC810_2_01147CC8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_0115566010_2_01155660
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_0115B90810_2_0115B908
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_01154E3C10_2_01154E3C
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_012347A010_2_012347A0
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_0123477210_2_01234772
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_0123479010_2_01234790
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_0123D82010_2_0123D820
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_0551753810_2_05517538
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_05516C6810_2_05516C68
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_055194F810_2_055194F8
                      Source: C:\Users\user\Desktop\balance payment.exeCode function: 10_2_0551692010_2_05516920
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_055ED7BC14_2_055ED7BC
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_055EFC7114_2_055EFC71
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_055EE21014_2_055EE210
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_055EE22014_2_055EE220
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_055EBD5414_2_055EBD54
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_055EFC9114_2_055EFC91
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763238814_2_07632388
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_07635A3814_2_07635A38
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763E52814_2_0763E528
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763D13814_2_0763D138
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763A1D814_2_0763A1D8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_076318F814_2_076318F8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763A88814_2_0763A888
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763109014_2_07631090
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763237914_2_07632379
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763132814_2_07631328
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763133814_2_07631338
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763EBE014_2_0763EBE0
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_076353C814_2_076353C8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_076353D814_2_076353D8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763926314_2_07639263
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763A66814_2_0763A668
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_07635A3214_2_07635A32
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763E20814_2_0763E208
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763928014_2_07639280
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763D97014_2_0763D970
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763653514_2_07636535
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763D50814_2_0763D508
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_076355E814_2_076355E8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_076355F814_2_076355F8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_076341C814_2_076341C8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_07634DA014_2_07634DA0
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_076365B814_2_076365B8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_076341B814_2_076341B8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763418114_2_07634181
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_07634D9014_2_07634D90
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763586114_2_07635861
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763587014_2_07635870
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763004014_2_07630040
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763000714_2_07630007
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_076318E814_2_076318E8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_076398F014_2_076398F0
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 14_2_0763108014_2_07631080
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_025CD7BC20_2_025CD7BC
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_025CE21020_2_025CE210
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_025CE22020_2_025CE220
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_025CD7B020_2_025CD7B0
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_025CFC7120_2_025CFC71
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_025CBD5420_2_025CBD54
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5238820_2_06B52388
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5109020_2_06B51090
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5A1D820_2_06B5A1D8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5D13820_2_06B5D138
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B55A3820_2_06B55A38
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5A88820_2_06B5A888
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B518F820_2_06B518F8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B565B820_2_06B565B8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B555F320_2_06B555F3
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B555F820_2_06B555F8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5653520_2_06B56535
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5D50820_2_06B5D508
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5928020_2_06B59280
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B553D820_2_06B553D8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B553CB20_2_06B553CB
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5133820_2_06B51338
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5132820_2_06B51328
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5237B20_2_06B5237B
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5108320_2_06B51083
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5002120_2_06B50021
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5004020_2_06B50040
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B541C320_2_06B541C3
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B541C820_2_06B541C8
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B54DA020_2_06B54DA0
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B54D9320_2_06B54D93
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B55A3320_2_06B55A33
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B598F020_2_06B598F0
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B518EB20_2_06B518EB
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5587020_2_06B55870
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5586120_2_06B55861
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 20_2_06B5D97020_2_06B5D970
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 22_2_02D347A022_2_02D347A0
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 22_2_02D3478122_2_02D34781
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeCode function: 22_2_02D3476122_2_02D34761
                      Source: balance payment.exe, 00000000.00000000.273268977.000000000032E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameH8yhvVH.exe@ vs balance payment.exe
                      Source: balance payment.exe, 00000000.00000002.302764503.0000000002882000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs balance payment.exe
                      Source: balance payment.exe, 00000000.00000002.305613107.00000000037F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameH8yhvVH.exe@ vs balance payment.exe
                      Source: balance payment.exe, 00000000.00000002.303631045.00000000035A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs balance payment.exe
                      Source: balance payment.exe, 00000000.00000002.303631045.00000000035A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameweYyNJLhxZoWSWsUVODYlle.exe4 vs balance payment.exe
                      Source: balance payment.exe, 00000000.00000002.307292610.0000000006EA0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs balance payment.exe
                      Source: balance payment.exe, 00000000.00000002.301871574.00000000025A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameweYyNJLhxZoWSWsUVODYlle.exe4 vs balance payment.exe
                      Source: balance payment.exe, 0000000A.00000000.297674511.0000000000ABE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameH8yhvVH.exe@ vs balance payment.exe
                      Source: balance payment.exe, 0000000A.00000002.551710742.000000000125A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs balance payment.exe
                      Source: balance payment.exe, 0000000A.00000000.298455303.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameweYyNJLhxZoWSWsUVODYlle.exe4 vs balance payment.exe
                      Source: balance payment.exe, 0000000A.00000002.548860068.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs balance payment.exe
                      Source: balance payment.exe, 0000000A.00000003.340608138.0000000006681000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameH8yhvVH.exe@ vs balance payment.exe
                      Source: balance payment.exeBinary or memory string: OriginalFilenameH8yhvVH.exe@ vs balance payment.exe
                      Source: balance payment.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: mbYOWdeph.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: tKZVPq.exe.10.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: balance payment.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: mbYOWdeph.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: tKZVPq.exe.10.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: balance payment.exeVirustotal: Detection: 44%
                      Source: balance payment.exeReversingLabs: Detection: 35%
                      Source: C:\Users\user\Desktop\balance payment.exeFile read: C:\Users\user\Desktop\balance payment.exeJump to behavior
                      Source: balance payment.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\balance payment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\balance payment.exe "C:\Users\user\Desktop\balance payment.exe"
                      Source: C:\Users\user\Desktop\balance payment.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mbYOWdeph" /XML "C:\Users\user\AppData\Local\Temp\tmp6392.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\balance payment.exeProcess created: C:\Users\user\Desktop\balance payment.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mbYOWdeph" /XML "C:\Users\user\AppData\Local\Temp\tmp5CD.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe "C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe"
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}
                      Source: C:\Users\user\Desktop\balance payment.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mbYOWdeph" /XML "C:\Users\user\AppData\Local\Temp\tmp6392.tmpJump to behavior
                      Source: C:\Users\user\Desktop\balance payment.exeProcess created: C:\Users\user\Desktop\balance payment.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mbYOWdeph" /XML "C:\Users\user\AppData\Local\Temp\tmp5CD.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeProcess created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\balance payment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\balance payment.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\balance payment.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\balance payment.exeFile created: C:\Users\user\AppData\Roaming\mbYOWdeph.exeJump to behavior
                      Source: C:\Users\user\Desktop\balance payment.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6392.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@15/9@1/1
                      Source: C:\Users\user\Desktop\balance payment.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\balance payment.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\balance payment.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1140:120:WilError_01
                      Source: 10.0.balance payment.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 10.0.balance payment.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 10.0.balance payment.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 10.0.balance payment.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 10.0.balance payment.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 10.0.balance payment.exe.400000.12.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\balance payment.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\balance payment.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\balance payment.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\balance payment.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: balance payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: balance payment.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      bar