Windows Analysis Report
payment copy.exe

Overview

General Information

Sample Name: payment copy.exe
Analysis ID: 756033
MD5: 52fcd3f3cb7f0eaacc6cc393ba9313da
SHA1: 5a7304f89ce6525e0449ffdf0022f5114d181680
SHA256: eeabb0a04ea59624d05185afbbf4a1c8e5db554c0c325871c4c0ac5de34c5547
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: payment copy.exe ReversingLabs: Detection: 30%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe ReversingLabs: Detection: 30%
Machine Learning detection for sample
Source: payment copy.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.payment copy.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 0.2.payment copy.exe.474a140.7.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "host39.registrar-servers.com", "Username": "Emenike@potashin.us", "Password": "})cZs aj5Xr; C"}
Uses 32bit PE files
Source: payment copy.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: payment copy.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 68.65.122.214 68.65.122.214
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 68.65.122.214:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49699 -> 68.65.122.214:587
Source: payment copy.exe, 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: payment copy.exe, 00000001.00000002.541820691.000000000674E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.542427252.0000000006E40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: payment copy.exe, 00000001.00000002.541820691.000000000674E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.micros
Source: WdFVsOe.exe, 0000000F.00000003.392037383.0000000006E4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://host39.registrar-servers.com
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com09
Source: WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://vpDUpe.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: payment copy.exe, 00000000.00000003.249126135.00000000062E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.com
Source: payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comig
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.comypo
Source: payment copy.exe, 00000000.00000003.250990543.000000000631E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.co
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: payment copy.exe, 00000000.00000003.250921715.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250791703.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250690710.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250751911.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250850742.000000000631E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: payment copy.exe, 00000000.00000003.251240828.00000000062E8000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250252956.00000000062E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8&
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: payment copy.exe, 00000000.00000003.250252956.00000000062E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersdF-
Source: payment copy.exe, 00000000.00000003.251240828.00000000062E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers~
Source: payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comB.TTF
Source: payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comldwatR8
Source: payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.como
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247640305.00000000062FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: payment copy.exe, 00000000.00000003.247675536.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247640305.00000000062FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cndf
Source: payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247497084.00000000062FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnht
Source: payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247497084.00000000062FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnn
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: payment copy.exe, 00000000.00000003.250243768.00000000062DD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250205326.00000000062DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.monotype.95n
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: payment copy.exe, 00000000.00000003.246833567.00000000062E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.net
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn0
Source: payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.m
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wINwvqrEjRpr.net
Source: WdFVsOe.exe, 0000000C.00000002.532509205.000000000357A000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wINwvqrEjRpr.net8
Source: payment copy.exe, 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: host39.registrar-servers.com

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment copy.exe.34005e8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.WdFVsOe.exe.2f9063c.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment copy.exe.33e2e18.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: payment copy.exe PID: 1848, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: payment copy.exe
.NET source code contains very large array initializations
Source: 1.0.payment copy.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB9A5F9D9u002d8564u002d4959u002dB9E5u002d6870FE15AC73u007d/u0033C0419E1u002d8030u002d4D25u002dB25Eu002d1005A86CEC6B.cs Large array initialization: .cctor: array initializer size 10947
Uses 32bit PE files
Source: payment copy.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment copy.exe.34005e8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.WdFVsOe.exe.2f9063c.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment copy.exe.33e2e18.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: payment copy.exe PID: 1848, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Users\user\Desktop\payment copy.exe Code function: 0_2_018AFBEA 0_2_018AFBEA
Source: C:\Users\user\Desktop\payment copy.exe Code function: 0_2_018AC164 0_2_018AC164
Source: C:\Users\user\Desktop\payment copy.exe Code function: 0_2_018AE5A2 0_2_018AE5A2
Source: C:\Users\user\Desktop\payment copy.exe Code function: 0_2_018AE5B0 0_2_018AE5B0
Source: C:\Users\user\Desktop\payment copy.exe Code function: 0_2_07FA0040 0_2_07FA0040
Source: C:\Users\user\Desktop\payment copy.exe Code function: 0_2_07FA0006 0_2_07FA0006
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_0319FAA0 1_2_0319FAA0
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_05BCC5AA 1_2_05BCC5AA
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_05BC29F8 1_2_05BC29F8
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_05BC0910 1_2_05BC0910
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_05BC0040 1_2_05BC0040
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_05BCD318 1_2_05BCD318
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_0684076B 1_2_0684076B
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_0684A598 1_2_0684A598
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_068452E8 1_2_068452E8
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_0684C2F0 1_2_0684C2F0
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_06847F88 1_2_06847F88
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_06842F78 1_2_06842F78
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_06845CB8 1_2_06845CB8
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_068467A9 1_2_068467A9
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_0684C240 1_2_0684C240
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_068420D0 1_2_068420D0
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_0684D0D3 1_2_0684D0D3
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_06846FB8 1_2_06846FB8
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_06846DC8 1_2_06846DC8
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_06914A60 1_2_06914A60
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_069115CD 1_2_069115CD
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_069153C8 1_2_069153C8
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Code function: 11_2_0142C164 11_2_0142C164
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Code function: 11_2_0142E5A2 11_2_0142E5A2
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Code function: 11_2_0142E5B0 11_2_0142E5B0
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Code function: 11_2_07480040 11_2_07480040
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Code function: 11_2_07480006 11_2_07480006
Sample file is different than original file name gathered from version info
Source: payment copy.exe, 00000000.00000000.243677634.000000000104E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameoghF.exeB vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrecision.dll6 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInspector.dllN vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename1b1d9ce2-62fd-41b4-99a9-182e452ccf71.exe4 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.267575287.0000000007D40000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename1b1d9ce2-62fd-41b4-99a9-182e452ccf71.exe4 vs payment copy.exe
Source: payment copy.exe, 00000001.00000002.508740371.00000000012F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs payment copy.exe
Source: payment copy.exe, 00000001.00000000.259132151.0000000000438000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename1b1d9ce2-62fd-41b4-99a9-182e452ccf71.exe4 vs payment copy.exe
Source: payment copy.exe Binary or memory string: OriginalFilenameoghF.exeB vs payment copy.exe
Source: payment copy.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WdFVsOe.exe.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: payment copy.exe ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\payment copy.exe File read: C:\Users\user\Desktop\payment copy.exe Jump to behavior
Source: payment copy.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\payment copy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe
Source: C:\Users\user\Desktop\payment copy.exe Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: C:\Users\user\Desktop\payment copy.exe Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment copy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\payment copy.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment copy.exe.log Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe File created: C:\Users\user\AppData\Local\Temp\tmp7046.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/4@3/1
Source: payment copy.exe, 00000000.00000000.243511449.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: payment copy.exe, 00000000.00000000.243511449.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: payment copy.exe, 00000000.00000000.243511449.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
Source: payment copy.exe, 00000001.00000002.532660218.00000000035D2000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.532455798.0000000003575000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531618020.00000000036A2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: payment copy.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\payment copy.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: payment copy.exe String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: payment copy.exe String found in binary or memory: Username:-AddusertextBoxUsernameCash
Source: 1.0.payment copy.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.payment copy.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\payment copy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\payment copy.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: payment copy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: payment copy.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\payment copy.exe Code function: 0_2_018AF972 pushad ; iretd 0_2_018AF979
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_05BCEEA3 push edi; retf 1_2_05BCEEA6
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_05BCEAF4 push es; iretd 1_2_05BCEAF7
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_068418F7 push es; retf 1_2_0684193C
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_068419C7 push es; retf 1_2_068419C8
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_068419CF push es; retf 1_2_068419D0
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_068419CB push es; retf 1_2_068419CC
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_068419D7 push es; retf 1_2_068419D8
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_068419D3 push es; retf 1_2_068419D4
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_0684197B push es; retf 1_2_0684197C
Source: initial sample Static PE information: section name: .text entropy: 7.672485147748669
Source: initial sample Static PE information: section name: .text entropy: 7.672485147748669
Drops PE files
Source: C:\Users\user\Desktop\payment copy.exe File created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to dropped file
Source: C:\Users\user\Desktop\payment copy.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\payment copy.exe File opened: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.payment copy.exe.34005e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WdFVsOe.exe.2f9063c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment copy.exe.33e2e18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: WdFVsOe.exe PID: 5864, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.337625854.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.337625854.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\payment copy.exe TID: 6052 Thread sleep time: -38122s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 6048 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 5208 Thread sleep count: 9815 > 30 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -99850s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -99734s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -99612s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -99499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -99390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -99281s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -99047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -98934s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -98825s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -98694s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -98574s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -98452s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -98328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -98150s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -98046s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -97937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -97827s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -97715s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -97608s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -97499s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -97390s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584 Thread sleep time: -97276s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 2064 Thread sleep time: -38122s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 2400 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -19369081277395017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 2384 Thread sleep count: 9733 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -99856s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -99704s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -99563s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -99407s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -99250s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -99141s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -99032s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -98915s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -98797s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -98657s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -98527s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -98407s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -98282s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -98172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -98016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -97905s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -97796s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -97687s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -97578s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -97465s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -97344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100 Thread sleep time: -97232s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 3408 Thread sleep time: -38122s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1328 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5164 Thread sleep count: 9634 > 30
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -99869s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -99749s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -99529s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -99047s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -98929s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -98468s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -98140s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -97780s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -97671s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -97546s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012 Thread sleep time: -97437s >= -30000s
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\payment copy.exe Window / User API: threadDelayed 9815 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Window / User API: threadDelayed 9733 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Window / User API: threadDelayed 9634
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment copy.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment copy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\payment copy.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 38122 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 99850 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 99734 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 99612 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 99499 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 99390 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 99281 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 99047 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 98934 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 98825 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 98694 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 98574 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 98452 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 98328 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 98150 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 98046 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 97937 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 97827 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 97715 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 97608 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 97499 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 97390 Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Thread delayed: delay time: 97276 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 38122 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99856 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99704 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99563 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99407 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99250 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99141 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99032 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98915 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98797 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98657 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98527 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98407 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98282 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98172 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98016 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97905 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97796 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97687 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97578 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97465 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97344 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97232 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 38122 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99869
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99749
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99640
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99529
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99156
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 99047
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98929
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98797
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98687
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98468
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98140
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97906
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97780
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97671
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97546
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Thread delayed: delay time: 97437
Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Enables debug privileges
Source: C:\Users\user\Desktop\payment copy.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\payment copy.exe Code function: 1_2_06847F88 LdrInitializeThunk, 1_2_06847F88
Source: C:\Users\user\Desktop\payment copy.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\payment copy.exe Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Users\user\Desktop\payment copy.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation