Edit tour

Windows Analysis Report
payment copy.exe

Overview

General Information

Sample Name:	payment copy.exe
Analysis ID:	756033
MD5:	52fcd3f3cb7f0eaacc6cc393ba9313da
SHA1:	5a7304f89ce6525e0449ffdf0022f5114d181680
SHA256:	eeabb0a04ea59624d05185afbbf4a1c8e5db554c0c325871c4c0ac5de34c5547
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

payment copy.exe (PID: 6064 cmdline: C:\Users\user\Desktop\payment copy.exe MD5: 52FCD3F3CB7F0EAACC6CC393BA9313DA)

payment copy.exe (PID: 1848 cmdline: C:\Users\user\Desktop\payment copy.exe MD5: 52FCD3F3CB7F0EAACC6CC393BA9313DA)

WdFVsOe.exe (PID: 5864 cmdline: "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe" MD5: 52FCD3F3CB7F0EAACC6CC393BA9313DA)

WdFVsOe.exe (PID: 5304 cmdline: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe MD5: 52FCD3F3CB7F0EAACC6CC393BA9313DA)

WdFVsOe.exe (PID: 4640 cmdline: "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe" MD5: 52FCD3F3CB7F0EAACC6CC393BA9313DA)

WdFVsOe.exe (PID: 612 cmdline: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe MD5: 52FCD3F3CB7F0EAACC6CC393BA9313DA)

WdFVsOe.exe (PID: 2728 cmdline: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe MD5: 52FCD3F3CB7F0EAACC6CC393BA9313DA)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "host39.registrar-servers.com", "Username": "Emenike@potashin.us", "Password": "})cZs aj5Xr;   C"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31cb6:$a13: get_DnsResolver 0x303c3:$a20: get_LastAccessed 0x326e4:$a27: set_InternalServerPort 0x32a19:$a30: set_GuidMasterKey 0x304d5:$a33: get_Clipboard 0x304e3:$a34: get_Keyboard 0x318b0:$a35: get_ShiftKeyDown 0x318c1:$a36: get_AltKeyDown 0x304f0:$a37: get_Password 0x3100b:$a38: get_PasswordHash 0x32118:$a39: get_DefaultCredentials
00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x150ff6:$a13: get_DnsResolver 0x187616:$a13: get_DnsResolver 0x1bda36:$a13: get_DnsResolver 0x14f703:$a20: get_LastAccessed 0x185d23:$a20: get_LastAccessed 0x1bc143:$a20: get_LastAccessed 0x151a24:$a27: set_InternalServerPort 0x188044:$a27: set_InternalServerPort 0x1be464:$a27: set_InternalServerPort 0x151d59:$a30: set_GuidMasterKey 0x188379:$a30: set_GuidMasterKey 0x1be799:$a30: set_GuidMasterKey 0x14f815:$a33: get_Clipboard 0x185e35:$a33: get_Clipboard 0x1bc255:$a33: get_Clipboard 0x14f823:$a34: get_Keyboard 0x185e43:$a34: get_Keyboard 0x1bc263:$a34: get_Keyboard 0x150bf0:$a35: get_ShiftKeyDown 0x187210:$a35: get_ShiftKeyDown 0x1bd630:$a35: get_ShiftKeyDown
0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: payment copy.exe PID: 6064	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: payment copy.exe PID: 6064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: payment copy.exe PID: 6064	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xfe9ae:$a13: get_DnsResolver 0xfd999:$a20: get_LastAccessed 0xff050:$a27: set_InternalServerPort 0xff237:$a30: set_GuidMasterKey 0xfda7f:$a33: get_Clipboard 0xfda8d:$a34: get_Keyboard 0xfe72b:$a35: get_ShiftKeyDown 0xfe73c:$a36: get_AltKeyDown 0xfda9a:$a37: get_Password 0xfe1b1:$a38: get_PasswordHash 0xfec6e:$a39: get_DefaultCredentials
Process Memory Space: payment copy.exe PID: 1848	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: payment copy.exe PID: 1848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: payment copy.exe PID: 1848	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xb2e8:$a13: get_DnsResolver 0x9c55:$a20: get_LastAccessed 0xbcc5:$a27: set_InternalServerPort 0xbf2c:$a30: set_GuidMasterKey 0x9d50:$a33: get_Clipboard 0x9d5e:$a34: get_Keyboard 0xaf7e:$a35: get_ShiftKeyDown 0xaf8f:$a36: get_AltKeyDown 0x9d6b:$a37: get_Password 0xa7e2:$a38: get_PasswordHash 0xb71e:$a39: get_DefaultCredentials
Process Memory Space: WdFVsOe.exe PID: 5864	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: WdFVsOe.exe PID: 5304	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: WdFVsOe.exe PID: 5304	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: WdFVsOe.exe PID: 2728	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: WdFVsOe.exe PID: 2728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.payment copy.exe.474a140.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.payment copy.exe.474a140.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.payment copy.exe.474a140.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c0b:$s10: logins 0x32685:$s11: credential 0x2e8d5:$g1: get_Clipboard 0x2e8e3:$g2: get_Keyboard 0x2e8f0:$g3: get_Password 0x2fca0:$g4: get_CtrlKeyDown 0x2fcb0:$g5: get_ShiftKeyDown 0x2fcc1:$g6: get_AltKeyDown
0.2.payment copy.exe.474a140.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x300b6:$a13: get_DnsResolver 0x2e7c3:$a20: get_LastAccessed 0x30ae4:$a27: set_InternalServerPort 0x30e19:$a30: set_GuidMasterKey 0x2e8d5:$a33: get_Clipboard 0x2e8e3:$a34: get_Keyboard 0x2fcb0:$a35: get_ShiftKeyDown 0x2fcc1:$a36: get_AltKeyDown 0x2e8f0:$a37: get_Password 0x2f40b:$a38: get_PasswordHash 0x30518:$a39: get_DefaultCredentials
1.0.payment copy.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.payment copy.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.payment copy.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a0b:$s10: logins 0x34485:$s11: credential 0x306d5:$g1: get_Clipboard 0x306e3:$g2: get_Keyboard 0x306f0:$g3: get_Password 0x31aa0:$g4: get_CtrlKeyDown 0x31ab0:$g5: get_ShiftKeyDown 0x31ac1:$g6: get_AltKeyDown
1.0.payment copy.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31eb6:$a13: get_DnsResolver 0x305c3:$a20: get_LastAccessed 0x328e4:$a27: set_InternalServerPort 0x32c19:$a30: set_GuidMasterKey 0x306d5:$a33: get_Clipboard 0x306e3:$a34: get_Keyboard 0x31ab0:$a35: get_ShiftKeyDown 0x31ac1:$a36: get_AltKeyDown 0x306f0:$a37: get_Password 0x3120b:$a38: get_PasswordHash 0x32318:$a39: get_DefaultCredentials
0.2.payment copy.exe.474a140.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.payment copy.exe.474a140.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.payment copy.exe.474a140.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a0b:$s10: logins 0x6b02b:$s10: logins 0xa144b:$s10: logins 0x34485:$s11: credential 0x6aaa5:$s11: credential 0xa0ec5:$s11: credential 0x306d5:$g1: get_Clipboard 0x66cf5:$g1: get_Clipboard 0x9d115:$g1: get_Clipboard 0x306e3:$g2: get_Keyboard 0x66d03:$g2: get_Keyboard 0x9d123:$g2: get_Keyboard 0x306f0:$g3: get_Password 0x66d10:$g3: get_Password 0x9d130:$g3: get_Password 0x31aa0:$g4: get_CtrlKeyDown 0x680c0:$g4: get_CtrlKeyDown 0x9e4e0:$g4: get_CtrlKeyDown 0x31ab0:$g5: get_ShiftKeyDown 0x680d0:$g5: get_ShiftKeyDown 0x9e4f0:$g5: get_ShiftKeyDown
0.2.payment copy.exe.474a140.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31eb6:$a13: get_DnsResolver 0x684d6:$a13: get_DnsResolver 0x9e8f6:$a13: get_DnsResolver 0x305c3:$a20: get_LastAccessed 0x66be3:$a20: get_LastAccessed 0x9d003:$a20: get_LastAccessed 0x328e4:$a27: set_InternalServerPort 0x68f04:$a27: set_InternalServerPort 0x9f324:$a27: set_InternalServerPort 0x32c19:$a30: set_GuidMasterKey 0x69239:$a30: set_GuidMasterKey 0x9f659:$a30: set_GuidMasterKey 0x306d5:$a33: get_Clipboard 0x66cf5:$a33: get_Clipboard 0x9d115:$a33: get_Clipboard 0x306e3:$a34: get_Keyboard 0x66d03:$a34: get_Keyboard 0x9d123:$a34: get_Keyboard 0x31ab0:$a35: get_ShiftKeyDown 0x680d0:$a35: get_ShiftKeyDown 0x9e4f0:$a35: get_ShiftKeyDown
0.2.payment copy.exe.34005e8.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.payment copy.exe.34005e8.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd236:$v1: SbieDll.dll 0xd250:$v2: USER 0xd25c:$v3: SANDBOX 0xd26e:$v4: VIRUS 0xd2be:$v4: VIRUS 0xd27c:$v5: MALWARE 0xd28e:$v6: SCHMIDTI 0xd2a2:$v7: CURRENTUSER
11.2.WdFVsOe.exe.2f9063c.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.WdFVsOe.exe.2f9063c.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd236:$v1: SbieDll.dll 0xd250:$v2: USER 0xd25c:$v3: SANDBOX 0xd26e:$v4: VIRUS 0xd2be:$v4: VIRUS 0xd27c:$v5: MALWARE 0xd28e:$v6: SCHMIDTI 0xd2a2:$v7: CURRENTUSER
0.2.payment copy.exe.46b2520.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.payment copy.exe.46b2520.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.payment copy.exe.46b2520.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xcc62b:$s10: logins 0x102c4b:$s10: logins 0x13906b:$s10: logins 0xcc0a5:$s11: credential 0x1026c5:$s11: credential 0x138ae5:$s11: credential 0xc82f5:$g1: get_Clipboard 0xfe915:$g1: get_Clipboard 0x134d35:$g1: get_Clipboard 0xc8303:$g2: get_Keyboard 0xfe923:$g2: get_Keyboard 0x134d43:$g2: get_Keyboard 0xc8310:$g3: get_Password 0xfe930:$g3: get_Password 0x134d50:$g3: get_Password 0xc96c0:$g4: get_CtrlKeyDown 0xffce0:$g4: get_CtrlKeyDown 0x136100:$g4: get_CtrlKeyDown 0xc96d0:$g5: get_ShiftKeyDown 0xffcf0:$g5: get_ShiftKeyDown 0x136110:$g5: get_ShiftKeyDown
0.2.payment copy.exe.46b2520.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x34e27:$s1: file:/// 0x34d37:$s2: {11111-22222-10009-11112} 0x34db7:$s3: {11111-22222-50001-00000} 0x33f41:$s4: get_Module 0x342bc:$s5: Reverse 0xc88a6:$s5: Reverse 0xfeec6:$s5: Reverse 0x1352e6:$s5: Reverse 0x2f3b2:$s6: BlockCopy 0xca8ec:$s6: BlockCopy 0x100f0c:$s6: BlockCopy 0x13732c:$s6: BlockCopy 0xc8b64:$s7: ReadByte 0xff184:$s7: ReadByte 0x1355a4:$s7: ReadByte 0x34e39:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.payment copy.exe.46b2520.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xc9ad6:$a13: get_DnsResolver 0x1000f6:$a13: get_DnsResolver 0x136516:$a13: get_DnsResolver 0xc81e3:$a20: get_LastAccessed 0xfe803:$a20: get_LastAccessed 0x134c23:$a20: get_LastAccessed 0xca504:$a27: set_InternalServerPort 0x100b24:$a27: set_InternalServerPort 0x136f44:$a27: set_InternalServerPort 0xca839:$a30: set_GuidMasterKey 0x100e59:$a30: set_GuidMasterKey 0x137279:$a30: set_GuidMasterKey 0xc82f5:$a33: get_Clipboard 0xfe915:$a33: get_Clipboard 0x134d35:$a33: get_Clipboard 0xc8303:$a34: get_Keyboard 0xfe923:$a34: get_Keyboard 0x134d43:$a34: get_Keyboard 0xc96d0:$a35: get_ShiftKeyDown 0xffcf0:$a35: get_ShiftKeyDown 0x136110:$a35: get_ShiftKeyDown
11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2aa06:$v1: SbieDll.dll 0x2aa20:$v2: USER 0x2aa2c:$v3: SANDBOX 0x2aa3e:$v4: VIRUS 0x2aa8e:$v4: VIRUS 0x2aa4c:$v5: MALWARE 0x2aa5e:$v6: SCHMIDTI 0x2aa72:$v7: CURRENTUSER
0.2.payment copy.exe.462b3f8.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.payment copy.exe.462b3f8.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.payment copy.exe.462b3f8.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x153753:$s10: logins 0x189d73:$s10: logins 0x1c0193:$s10: logins 0x1531cd:$s11: credential 0x1897ed:$s11: credential 0x1bfc0d:$s11: credential 0x14f41d:$g1: get_Clipboard 0x185a3d:$g1: get_Clipboard 0x1bbe5d:$g1: get_Clipboard 0x14f42b:$g2: get_Keyboard 0x185a4b:$g2: get_Keyboard 0x1bbe6b:$g2: get_Keyboard 0x14f438:$g3: get_Password 0x185a58:$g3: get_Password 0x1bbe78:$g3: get_Password 0x1507e8:$g4: get_CtrlKeyDown 0x186e08:$g4: get_CtrlKeyDown 0x1bd228:$g4: get_CtrlKeyDown 0x1507f8:$g5: get_ShiftKeyDown 0x186e18:$g5: get_ShiftKeyDown 0x1bd238:$g5: get_ShiftKeyDown
0.2.payment copy.exe.462b3f8.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xbbf4f:$s1: file:/// 0xbbe5f:$s2: {11111-22222-10009-11112} 0xbbedf:$s3: {11111-22222-50001-00000} 0xbb069:$s4: get_Module 0xbb3e4:$s5: Reverse 0x14f9ce:$s5: Reverse 0x185fee:$s5: Reverse 0x1bc40e:$s5: Reverse 0xb64da:$s6: BlockCopy 0x151a14:$s6: BlockCopy 0x188034:$s6: BlockCopy 0x1be454:$s6: BlockCopy 0x14fc8c:$s7: ReadByte 0x1862ac:$s7: ReadByte 0x1bc6cc:$s7: ReadByte 0xbbf61:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.payment copy.exe.462b3f8.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x150bfe:$a13: get_DnsResolver 0x18721e:$a13: get_DnsResolver 0x1bd63e:$a13: get_DnsResolver 0x14f30b:$a20: get_LastAccessed 0x18592b:$a20: get_LastAccessed 0x1bbd4b:$a20: get_LastAccessed 0x15162c:$a27: set_InternalServerPort 0x187c4c:$a27: set_InternalServerPort 0x1be06c:$a27: set_InternalServerPort 0x151961:$a30: set_GuidMasterKey 0x187f81:$a30: set_GuidMasterKey 0x1be3a1:$a30: set_GuidMasterKey 0x14f41d:$a33: get_Clipboard 0x185a3d:$a33: get_Clipboard 0x1bbe5d:$a33: get_Clipboard 0x14f42b:$a34: get_Keyboard 0x185a4b:$a34: get_Keyboard 0x1bbe6b:$a34: get_Keyboard 0x1507f8:$a35: get_ShiftKeyDown 0x186e18:$a35: get_ShiftKeyDown 0x1bd238:$a35: get_ShiftKeyDown
0.2.payment copy.exe.33e2e18.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.payment copy.exe.33e2e18.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2aa06:$v1: SbieDll.dll 0x2aa20:$v2: USER 0x2aa2c:$v3: SANDBOX 0x2aa3e:$v4: VIRUS 0x2aa8e:$v4: VIRUS 0x2aa4c:$v5: MALWARE 0x2aa5e:$v6: SCHMIDTI 0x2aa72:$v7: CURRENTUSER
Click to see the 25 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: payment copy.exe

ReversingLabs: Detection: 30%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe

ReversingLabs: Detection: 30%

Machine Learning detection for sample

Source: payment copy.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe

Joe Sandbox ML: detected

Source: 1.0.payment copy.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.payment copy.exe.474a140.7.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "host39.registrar-servers.com", "Username": "Emenike@potashin.us", "Password": "})cZs aj5Xr; C"}

Source: payment copy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: payment copy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Joe Sandbox View

IP Address: 68.65.122.214 68.65.122.214

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 68.65.122.214:587

Source: global traffic

TCP traffic: 192.168.2.3:49699 -> 68.65.122.214:587

Source: payment copy.exe, 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: payment copy.exe, 00000001.00000002.541820691.000000000674E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.542427252.0000000006E40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: payment copy.exe, 00000001.00000002.541820691.000000000674E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros
Source: WdFVsOe.exe, 0000000F.00000003.392037383.0000000006E4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://host39.registrar-servers.com
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com09
Source: WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://vpDUpe.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: payment copy.exe, 00000000.00000003.249126135.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comig
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comypo
Source: payment copy.exe, 00000000.00000003.250990543.000000000631E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.co
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: payment copy.exe, 00000000.00000003.250921715.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250791703.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250690710.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250751911.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250850742.000000000631E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: payment copy.exe, 00000000.00000003.251240828.00000000062E8000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250252956.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8&
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: payment copy.exe, 00000000.00000003.250252956.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersdF-
Source: payment copy.exe, 00000000.00000003.251240828.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers~
Source: payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTF
Source: payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comldwatR8
Source: payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247640305.00000000062FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: payment copy.exe, 00000000.00000003.247675536.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247640305.00000000062FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cndf
Source: payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247497084.00000000062FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnht
Source: payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247497084.00000000062FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnn
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: payment copy.exe, 00000000.00000003.250243768.00000000062DD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250205326.00000000062DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.95n
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: payment copy.exe, 00000000.00000003.246833567.00000000062E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.net
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn0
Source: payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.m
Source: payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wINwvqrEjRpr.net
Source: WdFVsOe.exe, 0000000C.00000002.532509205.000000000357A000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wINwvqrEjRpr.net8
Source: payment copy.exe, 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: host39.registrar-servers.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment copy.exe.34005e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.WdFVsOe.exe.2f9063c.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.payment copy.exe.33e2e18.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: payment copy.exe PID: 1848, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: payment copy.exe

.NET source code contains very large array initializations

Source: 1.0.payment copy.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB9A5F9D9u002d8564u002d4959u002dB9E5u002d6870FE15AC73u007d/u0033C0419E1u002d8030u002d4D25u002dB25Eu002d1005A86CEC6B.cs

Large array initialization: .cctor: array initializer size 10947

Source: payment copy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment copy.exe.34005e8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.WdFVsOe.exe.2f9063c.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.payment copy.exe.33e2e18.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: payment copy.exe PID: 1848, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_018AFBEA	0_2_018AFBEA
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_018AC164	0_2_018AC164
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_018AE5A2	0_2_018AE5A2
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_018AE5B0	0_2_018AE5B0
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_07FA0040	0_2_07FA0040
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_07FA0006	0_2_07FA0006
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0319FAA0	1_2_0319FAA0
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BCC5AA	1_2_05BCC5AA
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BC29F8	1_2_05BC29F8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BC0910	1_2_05BC0910
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BC0040	1_2_05BC0040
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BCD318	1_2_05BCD318
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684076B	1_2_0684076B
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684A598	1_2_0684A598
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068452E8	1_2_068452E8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684C2F0	1_2_0684C2F0
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06847F88	1_2_06847F88
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06842F78	1_2_06842F78
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06845CB8	1_2_06845CB8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068467A9	1_2_068467A9
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684C240	1_2_0684C240
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068420D0	1_2_068420D0
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684D0D3	1_2_0684D0D3
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06846FB8	1_2_06846FB8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06846DC8	1_2_06846DC8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_06914A60	1_2_06914A60
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_069115CD	1_2_069115CD
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_069153C8	1_2_069153C8
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 11_2_0142C164	11_2_0142C164
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 11_2_0142E5A2	11_2_0142E5A2
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 11_2_0142E5B0	11_2_0142E5B0
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 11_2_07480040	11_2_07480040
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Code function: 11_2_07480006	11_2_07480006

Source: payment copy.exe, 00000000.00000000.243677634.000000000104E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameoghF.exeB vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1b1d9ce2-62fd-41b4-99a9-182e452ccf71.exe4 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.267575287.0000000007D40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs payment copy.exe
Source: payment copy.exe, 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1b1d9ce2-62fd-41b4-99a9-182e452ccf71.exe4 vs payment copy.exe
Source: payment copy.exe, 00000001.00000002.508740371.00000000012F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs payment copy.exe
Source: payment copy.exe, 00000001.00000000.259132151.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1b1d9ce2-62fd-41b4-99a9-182e452ccf71.exe4 vs payment copy.exe
Source: payment copy.exe	Binary or memory string: OriginalFilenameoghF.exeB vs payment copy.exe

Source: payment copy.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: WdFVsOe.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: payment copy.exe

ReversingLabs: Detection: 30%

Source: C:\Users\user\Desktop\payment copy.exe

File read: C:\Users\user\Desktop\payment copy.exe

Jump to behavior

Source: payment copy.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\payment copy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe
Source: C:\Users\user\Desktop\payment copy.exe	Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe "C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Source: C:\Users\user\Desktop\payment copy.exe	Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment copy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\payment copy.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment copy.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7046.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/4@3/1

Source: payment copy.exe, 00000000.00000000.243511449.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: payment copy.exe, 00000000.00000000.243511449.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: payment copy.exe, 00000000.00000000.243511449.0000000000F62000.00000002.00000001.01000000.00000003.sdmp, WdFVsOe.exe.1.dr	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
Source: payment copy.exe, 00000001.00000002.532660218.00000000035D2000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.532455798.0000000003575000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531618020.00000000036A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: payment copy.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\payment copy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: payment copy.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: payment copy.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: 1.0.payment copy.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.payment copy.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\payment copy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\payment copy.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: payment copy.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: payment copy.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\payment copy.exe	Code function: 0_2_018AF972 pushad ; iretd	0_2_018AF979
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BCEEA3 push edi; retf	1_2_05BCEEA6
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_05BCEAF4 push es; iretd	1_2_05BCEAF7
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068418F7 push es; retf	1_2_0684193C
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068419C7 push es; retf	1_2_068419C8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068419CF push es; retf	1_2_068419D0
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068419CB push es; retf	1_2_068419CC
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068419D7 push es; retf	1_2_068419D8
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_068419D3 push es; retf	1_2_068419D4
Source: C:\Users\user\Desktop\payment copy.exe	Code function: 1_2_0684197B push es; retf	1_2_0684197C

Source: initial sample	Static PE information: section name: .text entropy: 7.672485147748669
Source: initial sample	Static PE information: section name: .text entropy: 7.672485147748669

Source: C:\Users\user\Desktop\payment copy.exe

File created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe

Jump to dropped file

Source: C:\Users\user\Desktop\payment copy.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe			Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\payment copy.exe

File opened: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.payment copy.exe.34005e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.WdFVsOe.exe.2f9063c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.WdFVsOe.exe.2f72e6c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.33e2e18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 5864, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.337625854.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: payment copy.exe, 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.337625854.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\payment copy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\payment copy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\payment copy.exe TID: 6052	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 6048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 5208	Thread sleep count: 9815 > 30	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99850s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99612s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -99047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98934s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98825s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98694s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98574s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98452s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98150s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -98046s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97827s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97715s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97608s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97499s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe TID: 2584	Thread sleep time: -97276s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 2064	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 2400	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -19369081277395017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 2384	Thread sleep count: 9733 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99856s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99704s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99250s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99141s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -99032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98915s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98657s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98527s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98407s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98282s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -98016s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97905s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97796s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97687s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97578s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97465s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97344s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 6100	Thread sleep time: -97232s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 3408	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1328	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 5164	Thread sleep count: 9634 > 30
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99869s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99749s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99640s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99529s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99421s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99297s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -99047s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98929s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98687s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98578s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98468s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98359s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98140s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -98031s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -97780s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -97671s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -97546s >= -30000s
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe TID: 1012	Thread sleep time: -97437s >= -30000s

Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\payment copy.exe	Window / User API: threadDelayed 9815	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Window / User API: threadDelayed 9733	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Window / User API: threadDelayed 9634

Source: C:\Users\user\Desktop\payment copy.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment copy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\payment copy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99850	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99612	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99499	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99390	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99172	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 99047	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98934	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98825	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98694	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98574	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98452	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98150	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 98046	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97937	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97827	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97715	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97608	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97499	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97390	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Thread delayed: delay time: 97276	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99856	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99704	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99563	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99250	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99141	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99032	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98915	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98657	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98527	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98407	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98282	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98172	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98016	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97905	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97796	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97687	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97578	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97465	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97344	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97232	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99869
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99749
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99640
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99529
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99421
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99297
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99156
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 99047
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98929
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98797
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98687
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98578
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98468
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98359
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98250
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98140
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 98031
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97906
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97780
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97671
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97546
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Thread delayed: delay time: 97437

Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: WdFVsOe.exe, 0000000D.00000002.338181661.0000000003095000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\payment copy.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe

Code function: 1_2_06847F88 LdrInitializeThunk,

1_2_06847F88

Source: C:\Users\user\Desktop\payment copy.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe	Process created: C:\Users\user\Desktop\payment copy.exe C:\Users\user\Desktop\payment copy.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Process created: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Users\user\Desktop\payment copy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Users\user\Desktop\payment copy.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\payment copy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: payment copy.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 2728, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\payment copy.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\payment copy.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\payment copy.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment copy.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 2728, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.payment copy.exe.474a140.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.payment copy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.474a140.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.46b2520.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment copy.exe.462b3f8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment copy.exe PID: 6064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: payment copy.exe PID: 1848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 5304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WdFVsOe.exe PID: 2728, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	114 System Information Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	311 Security Software Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	3 Software Packing	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	131 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	11 Process Injection	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
payment copy.exe	30%	ReversingLabs	Win32.Trojan.Woreflint
payment copy.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe	30%	ReversingLabs	Win32.Trojan.Woreflint

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.0.payment copy.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.comypo	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cnht	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnn	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.typography.net	0%	URL Reputation	safe
http://www.fontbureau.comB.TTF	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.html	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.monotype.95n	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.carterandcone.comig	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.fontbureau.co	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://crl.micros	0%	URL Reputation	safe
https://wINwvqrEjRpr.net8	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn0	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com09	0%	Avira URL Cloud	safe
http://vpDUpe.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cndf	0%	Avira URL Cloud	safe
https://wINwvqrEjRpr.net	0%	Avira URL Cloud	safe
http://www.fontbureau.comldwatR8	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cno.m	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
host39.registrar-servers.com	68.65.122.214	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	payment copy.exe, 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designersG	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8&	payment copy.exe, 00000000.00000003.251240828.00000000062E8000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250252956.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microsoft	WdFVsOe.exe, 0000000F.00000003.392037383.0000000006E4C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://vpDUpe.com	WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.monotype.95n	payment copy.exe, 00000000.00000003.250243768.00000000062DD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250205326.00000000062DC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.tiro.com	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn0	payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.com	payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comypo	payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnht	payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247497084.00000000062FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cnn	payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247497084.00000000062FD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.net	payment copy.exe, 00000000.00000003.246833567.00000000062E0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.comB.TTF	payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wINwvqrEjRpr.net8	WdFVsOe.exe, 0000000C.00000002.532509205.000000000357A000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ascendercorp.com/typedesigners.html	payment copy.exe, 00000000.00000003.249126135.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fonts.com	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.comig	payment copy.exe, 00000000.00000003.248035060.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247967738.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.248057940.0000000006300000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersdF-	payment copy.exe, 00000000.00000003.250252956.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0	payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com09	payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers~	payment copy.exe, 00000000.00000003.251240828.00000000062E8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://host39.registrar-servers.com	payment copy.exe, 00000001.00000002.533327699.000000000360E000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.533250375.00000000035B8000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	payment copy.exe, 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, WdFVsOe.exe, 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.co	payment copy.exe, 00000000.00000003.250990543.000000000631E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cndf	payment copy.exe, 00000000.00000003.247520874.00000000062FD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/	payment copy.exe, 00000000.00000003.247675536.0000000006300000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247640305.00000000062FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.247640305.00000000062FE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://wINwvqrEjRpr.net	WdFVsOe.exe, 0000000F.00000002.531668173.00000000036A7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	payment copy.exe, 00000000.00000003.250921715.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250791703.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250690710.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250751911.000000000631E000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, payment copy.exe, 00000000.00000003.250850742.000000000631E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	payment copy.exe, 00000000.00000002.266294010.00000000074E2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cno.m	payment copy.exe, 00000000.00000003.247858293.0000000006300000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comldwatR8	payment copy.exe, 00000000.00000003.260213566.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micros	payment copy.exe, 00000001.00000002.541820691.000000000674E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
68.65.122.214	host39.registrar-servers.com	United States		22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756033
Start date and time:	2022-11-29 14:54:07 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	payment copy.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/4@3/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 95% Number of executed functions: 62 Number of non-executed functions: 5
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:55:04	API Interceptor	663x Sleep call for process: payment copy.exe modified
14:55:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
14:55:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WdFVsOe C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
14:55:25	API Interceptor	855x Sleep call for process: WdFVsOe.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
68.65.122.214	payment swift.exe	Get hash	malicious	Browse
	SWIFT Payment W076001.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	New Order.exe	Get hash	malicious	Browse
	New Order.exe	Get hash	malicious	Browse
	RFQ E22-0350 pdf.zip.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.5615.5540.exe	Get hash	malicious	Browse
	65plwEdhrs.exe	Get hash	malicious	Browse
	PO-2100193237.xls	Get hash	malicious	Browse
	NEW ORDER.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Packed2.44634.11417.32113.exe	Get hash	malicious	Browse
	SOA001.xls	Get hash	malicious	Browse
	mW3lylpp53.exe	Get hash	malicious	Browse
	doc06983120221101093537.exe	Get hash	malicious	Browse
	Doc20220929105022.exe	Get hash	malicious	Browse
	zfRyc49sNH.exe	Get hash	malicious	Browse
	swiftcopy.xls	Get hash	malicious	Browse
	100% Advance Payment Needed.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
host39.registrar-servers.com	payment swift.exe	Get hash	malicious	Browse	68.65.122.214
	SWIFT Payment W076001.exe	Get hash	malicious	Browse	68.65.122.214
	file.exe	Get hash	malicious	Browse	68.65.122.214
	New Order.exe	Get hash	malicious	Browse	68.65.122.214
	New Order.exe	Get hash	malicious	Browse	68.65.122.214
	RFQ E22-0350 pdf.zip.exe	Get hash	malicious	Browse	68.65.122.214
	file.exe	Get hash	malicious	Browse	68.65.122.214
	file.exe	Get hash	malicious	Browse	68.65.122.214
	SecuriteInfo.com.Win32.PWSX-gen.5615.5540.exe	Get hash	malicious	Browse	68.65.122.214
	65plwEdhrs.exe	Get hash	malicious	Browse	68.65.122.214
	PO-2100193237.xls	Get hash	malicious	Browse	68.65.122.214
	NEW ORDER.exe	Get hash	malicious	Browse	68.65.122.214
	SecuriteInfo.com.Trojan.Packed2.44634.11417.32113.exe	Get hash	malicious	Browse	68.65.122.214
	SOA001.xls	Get hash	malicious	Browse	68.65.122.214
	mW3lylpp53.exe	Get hash	malicious	Browse	68.65.122.214
	doc06983120221101093537.exe	Get hash	malicious	Browse	68.65.122.214
	Doc20220929105022.exe	Get hash	malicious	Browse	68.65.122.214
	zfRyc49sNH.exe	Get hash	malicious	Browse	68.65.122.214
	swiftcopy.xls	Get hash	malicious	Browse	68.65.122.214
	100% Advance Payment Needed.xls	Get hash	malicious	Browse	68.65.122.214

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	payment swift.exe	Get hash	malicious	Browse	68.65.122.214
	https://myteachingvideo.org/nmp2a	Get hash	malicious	Browse	192.64.117.40
	New PO-RJ-IN-003 - Knauf Queimados.exe	Get hash	malicious	Browse	198.54.121.81
	PI-1366091200.js	Get hash	malicious	Browse	198.54.122.135
	JsX27X5dti.exe	Get hash	malicious	Browse	68.65.122.109
	http://ideentiifire.com	Get hash	malicious	Browse	192.64.119.238
	https://sites.google.com/view/uas-invite/home	Get hash	malicious	Browse	199.192.16.22
	FCA000200010005.PDF.exe	Get hash	malicious	Browse	162.0.228.17
	BL-NO-OOLU2136901180.vbs	Get hash	malicious	Browse	198.54.117.216
	Purchase Order No. 4502717956.exe	Get hash	malicious	Browse	162.213.255.142
	https://jpnetworkbd.com/aab/index.php?atu-qui=6	Get hash	malicious	Browse	68.65.120.179
	hZmf6K2R58.exe	Get hash	malicious	Browse	199.192.20.95
	https://indd.adobe.com/view/afe6bfe7-4ef8-49fa-b099-03bbf908dd26	Get hash	malicious	Browse	162.0.235.22
	paystub_11_24_2022.html	Get hash	malicious	Browse	68.65.122.77
	SWIFT Payment W076001.exe	Get hash	malicious	Browse	68.65.122.214
	file.exe	Get hash	malicious	Browse	68.65.122.214
	file.exe	Get hash	malicious	Browse	198.54.115.69
	New Order.exe	Get hash	malicious	Browse	68.65.122.214
	Lakeringernes (1).exe	Get hash	malicious	Browse	162.0.238.93
	https://robuxify.me/	Get hash	malicious	Browse	162.213.251.63

Process:	C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment copy.exe.log

Download File

Process:	C:\Users\user\Desktop\payment copy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe

Download File

Process:	C:\Users\user\Desktop\payment copy.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	963072
Entropy (8bit):	7.666020966282773
Encrypted:	false
SSDEEP:	12288:yEhqU+PoxVZ861s4cEOSJJi0yIxYeQo//tdYV71JSYVBgrVDdzoa1cfN:LuoxL1MEPzyIBPY/JSMBgBDdEPf
MD5:	52FCD3F3CB7F0EAACC6CC393BA9313DA
SHA1:	5A7304F89CE6525E0449FFDF0022F5114D181680
SHA-256:	EEABB0A04EA59624D05185AFBBF4A1C8E5DB554C0C325871C4C0AC5DE34C5547
SHA-512:	7CE8744C23B517043B25F173733888385BE9FDAA67B597C3EC522D24D422ED1FEE9A44CFA51C7C6C3812FBC2FD791FE57A822E3C0A462670448FB0EE507C54EC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c..............0.............z.... ........@.. ....................... ............@.................................(...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................\.......H.......<...........l...8u...S..........................................^..}.....(.......(......0...........s......o......(........0...........s......o......(........0...........s......o......(........0...........s......o......(........0..+.........,..{.......+....,...{....o........(.......0..r.............(....s......s....}.....s....}.....s....}.....s....}.....(......{....(....o......{.....o......{.....o .....{....r...p"..@A...s!...o".....{....(#...o$.....{.... .... ..

C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\payment copy.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.666020966282773
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	payment copy.exe
File size:	963072
MD5:	52fcd3f3cb7f0eaacc6cc393ba9313da
SHA1:	5a7304f89ce6525e0449ffdf0022f5114d181680
SHA256:	eeabb0a04ea59624d05185afbbf4a1c8e5db554c0c325871c4c0ac5de34c5547
SHA512:	7ce8744c23b517043b25f173733888385be9fdaa67b597c3ec522d24d422ed1fee9a44cfa51c7c6c3812fbc2fd791fe57a822e3c0a462670448fb0ee507c54ec
SSDEEP:	12288:yEhqU+PoxVZ861s4cEOSJJi0yIxYeQo//tdYV71JSYVBgrVDdzoa1cfN:LuoxL1MEPzyIBPY/JSMBgBDdEPf
TLSH:	3F25E08033A6BF71F5696BF37521800827763C6EA5E0D6285DCDB0DE2A76B5049F0B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0.............z.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4ec97a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385B1CA [Tue Nov 29 07:16:26 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xec928	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xee000	0x388	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xea980	0xeaa00	False	0.8303174530500799	data	7.672485147748669	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xee000	0x388	0x400	False	0.37109375	data	2.8467797153196712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf0000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xee058	0x32c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 14:55:25.424974918 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:25.592058897 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:25.592273951 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:25.895911932 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:25.905392885 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:26.075438023 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:26.075676918 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:26.248148918 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:26.295599937 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:26.479507923 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:26.479547024 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:26.479569912 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:26.479587078 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:26.479638100 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:26.479693890 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:26.481981993 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:26.535485983 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:26.703422070 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:26.763364077 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:26.930888891 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:26.933207035 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:27.102840900 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:27.103601933 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:27.310229063 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:27.324902058 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:27.326145887 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:27.492806911 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:27.492857933 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:27.493326902 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:27.666775942 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:27.667530060 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:27.835021019 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:27.837627888 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:27.837723017 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:27.838565111 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:27.838650942 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:28.008394957 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:28.008449078 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:28.008755922 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:28.014305115 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:28.155173063 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:56.683109999 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:56.851603031 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:56.852837086 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:57.171015978 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:57.173106909 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:57.341361046 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:57.341626883 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:57.512027979 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:57.544939995 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:57.730178118 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:57.730206966 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:57.730222940 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:57.730238914 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:57.730304956 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:57.732626915 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:57.747056007 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:57.915951967 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:57.997579098 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:58.166379929 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:58.166922092 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:58.335804939 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:58.336447954 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:58.521548033 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:58.522005081 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:58.691117048 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:58.691618919 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:58.867047071 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:58.867399931 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:59.037381887 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:59.038328886 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:59.038417101 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:59.038485050 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:59.038551092 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:55:59.217993021 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:59.218055964 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:59.227782011 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:59.227830887 CET	587	49700	68.65.122.214	192.168.2.3
Nov 29, 2022 14:55:59.273787022 CET	49700	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:06.216950893 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:06.384685993 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:06.384807110 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:06.619520903 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:06.620049000 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:06.790031910 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:06.793853045 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:06.964744091 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:06.980041027 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:07.162103891 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:07.162137032 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:07.162158966 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:07.162178993 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:07.162257910 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:07.165424109 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:07.167860031 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:07.336713076 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:07.392863035 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:07.420589924 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:07.599742889 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:07.603785038 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:07.772320032 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:07.782051086 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:07.966464043 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:07.968965054 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:08.137397051 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:08.139621973 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:08.321909904 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:08.329601049 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:08.508558989 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:08.509864092 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:08.510042906 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:08.510165930 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:08.510349035 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:56:08.677747965 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:08.677787066 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:08.679023027 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:08.709340096 CET	587	49701	68.65.122.214	192.168.2.3
Nov 29, 2022 14:56:08.752382994 CET	49701	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:57:05.351572990 CET	49699	587	192.168.2.3	68.65.122.214
Nov 29, 2022 14:57:05.578685045 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:57:05.941483021 CET	587	49699	68.65.122.214	192.168.2.3
Nov 29, 2022 14:57:05.945311069 CET	49699	587	192.168.2.3	68.65.122.214

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 14:55:25.373497963 CET	49977	53	192.168.2.3	8.8.8.8
Nov 29, 2022 14:55:25.394471884 CET	53	49977	8.8.8.8	192.168.2.3
Nov 29, 2022 14:55:56.601288080 CET	57840	53	192.168.2.3	8.8.8.8
Nov 29, 2022 14:55:56.621599913 CET	53	57840	8.8.8.8	192.168.2.3
Nov 29, 2022 14:56:06.164307117 CET	57990	53	192.168.2.3	8.8.8.8
Nov 29, 2022 14:56:06.181865931 CET	53	57990	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 14:55:25.373497963 CET	192.168.2.3	8.8.8.8	0x8bf7	Standard query (0)	host39.registrar-servers.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 14:55:56.601288080 CET	192.168.2.3	8.8.8.8	0x1ade	Standard query (0)	host39.registrar-servers.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 14:56:06.164307117 CET	192.168.2.3	8.8.8.8	0xea32	Standard query (0)	host39.registrar-servers.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 14:55:25.394471884 CET	8.8.8.8	192.168.2.3	0x8bf7	No error (0)	host39.registrar-servers.com	68.65.122.214	A (IP address)	IN (0x0001)	false
Nov 29, 2022 14:55:56.621599913 CET	8.8.8.8	192.168.2.3	0x1ade	No error (0)	host39.registrar-servers.com	68.65.122.214	A (IP address)	IN (0x0001)	false
Nov 29, 2022 14:56:06.181865931 CET	8.8.8.8	192.168.2.3	0xea32	No error (0)	host39.registrar-servers.com	68.65.122.214	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 29, 2022 14:55:25.895911932 CET	587	49699	68.65.122.214	192.168.2.3	220-host39.registrar-servers.com ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 08:55:25 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 29, 2022 14:55:25.905392885 CET	49699	587	192.168.2.3	68.65.122.214	EHLO 332260
Nov 29, 2022 14:55:26.075438023 CET	587	49699	68.65.122.214	192.168.2.3	250-host39.registrar-servers.com Hello 332260 [102.129.143.49] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 29, 2022 14:55:26.075676918 CET	49699	587	192.168.2.3	68.65.122.214	STARTTLS
Nov 29, 2022 14:55:26.248148918 CET	587	49699	68.65.122.214	192.168.2.3	220 TLS go ahead
Nov 29, 2022 14:55:57.171015978 CET	587	49700	68.65.122.214	192.168.2.3	220-host39.registrar-servers.com ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 08:55:57 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 29, 2022 14:55:57.173106909 CET	49700	587	192.168.2.3	68.65.122.214	EHLO 332260
Nov 29, 2022 14:55:57.341361046 CET	587	49700	68.65.122.214	192.168.2.3	250-host39.registrar-servers.com Hello 332260 [102.129.143.49] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 29, 2022 14:55:57.341626883 CET	49700	587	192.168.2.3	68.65.122.214	STARTTLS
Nov 29, 2022 14:55:57.512027979 CET	587	49700	68.65.122.214	192.168.2.3	220 TLS go ahead
Nov 29, 2022 14:56:06.619520903 CET	587	49701	68.65.122.214	192.168.2.3	220-host39.registrar-servers.com ESMTP Exim 4.95 #2 Tue, 29 Nov 2022 08:56:06 -0500 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Nov 29, 2022 14:56:06.620049000 CET	49701	587	192.168.2.3	68.65.122.214	EHLO 332260
Nov 29, 2022 14:56:06.790031910 CET	587	49701	68.65.122.214	192.168.2.3	250-host39.registrar-servers.com Hello 332260 [102.129.143.49] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Nov 29, 2022 14:56:06.793853045 CET	49701	587	192.168.2.3	68.65.122.214	STARTTLS
Nov 29, 2022 14:56:06.964744091 CET	587	49701	68.65.122.214	192.168.2.3	220 TLS go ahead

Target ID:	0
Start time:	14:54:58
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\payment copy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\payment copy.exe
Imagebase:	0xf60000
File size:	963072 bytes
MD5 hash:	52FCD3F3CB7F0EAACC6CC393BA9313DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.261250021.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.262257256.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.263520436.000000000462B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	14:55:05
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\payment copy.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\payment copy.exe
Imagebase:	0xda0000
File size:	963072 bytes
MD5 hash:	52FCD3F3CB7F0EAACC6CC393BA9313DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.258978020.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.522170606.0000000003291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	11
Start time:	14:55:22
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Imagebase:	0xaf0000
File size:	963072 bytes
MD5 hash:	52FCD3F3CB7F0EAACC6CC393BA9313DA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.310942786.000000000325E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.307766391.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 30%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	12
Start time:	14:55:27
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Imagebase:	0xcd0000
File size:	963072 bytes
MD5 hash:	52FCD3F3CB7F0EAACC6CC393BA9313DA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.521910892.000000000323C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	13
Start time:	14:55:30
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe"
Imagebase:	0x7c0000
File size:	963072 bytes
MD5 hash:	52FCD3F3CB7F0EAACC6CC393BA9313DA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	14
Start time:	14:55:39
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Imagebase:	0x380000
File size:	963072 bytes
MD5 hash:	52FCD3F3CB7F0EAACC6CC393BA9313DA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	15
Start time:	14:55:40
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe
Imagebase:	0xdc0000
File size:	963072 bytes
MD5 hash:	52FCD3F3CB7F0EAACC6CC393BA9313DA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.520858621.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	112
Total number of Limit Nodes:	10

Executed Functions

Function 018AFBEA Relevance: 1.7, APIs: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f04bae4cb554cb75345c8a06c888ddc0e7c69942d886209dfd34e664b1b779
Instruction ID: 5382652d56ca775eed6ec336d01c0b5e83b9e811caafbf563e07ed8da1a077f5
Opcode Fuzzy Hash: b4f04bae4cb554cb75345c8a06c888ddc0e7c69942d886209dfd34e664b1b779
Instruction Fuzzy Hash: E9915D718093889FDF02CFA5C8A46CDBFB1EF4A304F1985DAE544EB262D334A955CB51

Uniqueness

Uniqueness Score: -1.00%

Function 018AB6C1 Relevance: 6.1, APIs: 4, Instructions: 121
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018AB730
GetCurrentThread.KERNEL32 ref: 018AB76D
GetCurrentProcess.KERNEL32 ref: 018AB7AA
GetCurrentThreadId.KERNEL32 ref: 018AB803

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7357cc7d02e5179b043e237a68711e161b98d58cf52c20fe51b4b524925c73f4
Instruction ID: eaecfe1311c8ad50e396ed2af6574fffe8b2edbed39e266c715c92197c36e48d
Opcode Fuzzy Hash: 7357cc7d02e5179b043e237a68711e161b98d58cf52c20fe51b4b524925c73f4
Instruction Fuzzy Hash: 725157B4900289CFEB14CFA9D548BAEBFF1BF48304F24845AE909A7250DB746944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 018AB6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 018AB730
GetCurrentThread.KERNEL32 ref: 018AB76D
GetCurrentProcess.KERNEL32 ref: 018AB7AA
GetCurrentThreadId.KERNEL32 ref: 018AB803

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 702dd6c9e2b4102e0224d99177b3be27a595505ad1d2823cfbc4dfefca158782
Instruction ID: 6e8a21d56ebc158dd54592f1548eb38a693b5642a4351fa5aa6709bc9ef16ef9
Opcode Fuzzy Hash: 702dd6c9e2b4102e0224d99177b3be27a595505ad1d2823cfbc4dfefca158782
Instruction Fuzzy Hash: 205144B4900249CFEB14CFAAD548BAEBFF1BF48314F248459E909A7250DB746984CF65

Uniqueness

Uniqueness Score: -1.00%

Function 018AFD38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018AFE4A

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 2f32e7c80dfbee936582ec30eca54758c9ba6a7b5358a96f9e3d7f290daf78ba
Instruction ID: 05e2ba8b7160e0510d93fe00a31023d2f9fd684e5828478b0dbaf253462dfe40
Opcode Fuzzy Hash: 2f32e7c80dfbee936582ec30eca54758c9ba6a7b5358a96f9e3d7f290daf78ba
Instruction Fuzzy Hash: 2541D1B1D003499FEB14CF9AC884ADEBFB5BF48314F64812AE519AB210D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018A5364 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018A5421

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8990001860269e2486c84af4795c245dea88d41199ac80ddd9e4385a164f210a
Instruction ID: 33bf96acc82c82fe2d5a8dc88896f9536b6c13e91b40015b9e33866478c87afb
Opcode Fuzzy Hash: 8990001860269e2486c84af4795c245dea88d41199ac80ddd9e4385a164f210a
Instruction Fuzzy Hash: 974113B1D01618CFEF14DFA9C8847CDBBB1BF49309F60806AD508AB251D7B55986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018A3DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 018A5421

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 576d5f7eb54185505aea47b4d0d6096e3ce91493720e81db060780519b02ab33
Instruction ID: 800634e4c9c3eaaf217946dd0bbb2deccb793ccbd06bb98b1f2847e4db1e2a37
Opcode Fuzzy Hash: 576d5f7eb54185505aea47b4d0d6096e3ce91493720e81db060780519b02ab33
Instruction Fuzzy Hash: 9641F3B0D0131CCBEB24DFAAC88478DBBB1BF49319F50805AD508AB251D7B56986CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018AB8F8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018AB97F

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1e1fa3c5ba871e2426a682a5f8cc041a6242062cc3b1b817e7fae3ea5caf928a
Instruction ID: a97e92e22913996bbb015d7631f4dd3950eaa0e3a80d46d327122da41b0fc795
Opcode Fuzzy Hash: 1e1fa3c5ba871e2426a682a5f8cc041a6242062cc3b1b817e7fae3ea5caf928a
Instruction Fuzzy Hash: 6621E2B5D002589FDB10CFAAD984ADEBFF8EB48320F14841AE954A7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018AB8F2 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018AB97F

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2fdff6065e72c95a736554c709244bb738b1f278f16973c1526f0c1c34eacffc
Instruction ID: 33f383c623495ac0ccbae0169708964aee78d7d2ae67c75fd623bac5f907f339
Opcode Fuzzy Hash: 2fdff6065e72c95a736554c709244bb738b1f278f16973c1526f0c1c34eacffc
Instruction Fuzzy Hash: F22114B5D012589FDB10CFA9D584BDEBFF4EB48310F18841AE954A7210D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018A94B8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018A9991,00000800,00000000,00000000), ref: 018A9BA2

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 285ac316effd94975a61f233c03527b53f8579571a45ccd57a49412267c21576
Instruction ID: 2071a379b2f31019c622cd35c6cae33d3d0bb718177cbf53fb723aa90ac00620
Opcode Fuzzy Hash: 285ac316effd94975a61f233c03527b53f8579571a45ccd57a49412267c21576
Instruction Fuzzy Hash: BD1126B6D043598FEB10CF9AD444BDEFBF4EB88324F54842AD919A7600C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018A9B30 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018A9991,00000800,00000000,00000000), ref: 018A9BA2

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5f0887b36aca6e10ff0e5cc35db61f9739c642851bfa780491c619480c3ed163
Instruction ID: fe560d34984387d98bd62349d15b624da69438704953157f39ffc46e9a6bbf04
Opcode Fuzzy Hash: 5f0887b36aca6e10ff0e5cc35db61f9739c642851bfa780491c619480c3ed163
Instruction Fuzzy Hash: 011147B6C003588FDB10CFA9C544BDEBBF4AF48314F04841AD955A7200C374A545CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 018A98B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018A9916

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 972add06ed1b949d52c0121796d40ced8bacec2131a146b206ba6904f9f72028
Instruction ID: cdb29f39fe861b164c95fd45bddedb29808a19508eaf0978965ce36a442672bd
Opcode Fuzzy Hash: 972add06ed1b949d52c0121796d40ced8bacec2131a146b206ba6904f9f72028
Instruction Fuzzy Hash: FF1110B5C002498FEB10CF9AC444BDEFBF4EB89324F54842AD969B7200D379A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07FA8568 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 07FA85C5

Memory Dump Source

Source File: 00000000.00000002.268309538.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fa0000_payment copy.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ca0a86921e6b78eedcdf5ce1267b5b2b068cc90f3df09df70c64805384916494
Instruction ID: b2449c8f465d14943f0597550cdb89e83d6b25e6c8e9bf0e378087fabac8c2b0
Opcode Fuzzy Hash: ca0a86921e6b78eedcdf5ce1267b5b2b068cc90f3df09df70c64805384916494
Instruction Fuzzy Hash: 8011E5B58003499FDB10CF9AC985BDEBFF8EB48324F148819D955A7600C375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 018AE5B0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23137fe3ce3ee646de07e360bba3aa69774d100d00e06f5bb595de2868b6a476
Instruction ID: d62b6ae22e2529d617a8ff65a0c200cbbc8017536fb42474eb48e916d030e2a7
Opcode Fuzzy Hash: 23137fe3ce3ee646de07e360bba3aa69774d100d00e06f5bb595de2868b6a476
Instruction Fuzzy Hash: 291292F54137468AE310EF65F9DC1C97BA1BB56328FB0C208D2612BAD9D7B8154ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 018AC164 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b0f10b5a7e571fb8d72c0ea023f1ca27f8de4907532ce5a705816126d8d98d
Instruction ID: fd8bf2c9164f5b215ca81746b2b6839ac2542871b8c996488effbe23301c071c
Opcode Fuzzy Hash: 13b0f10b5a7e571fb8d72c0ea023f1ca27f8de4907532ce5a705816126d8d98d
Instruction Fuzzy Hash: 29A16E36E0021A8FDF05DFE9C8445DEBBB2FF84300B55856AE905EB261DB35AA45CF40

Uniqueness

Uniqueness Score: -1.00%

Function 018AE5A2 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.260952608.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_18a0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372203e21023628ee1d7535baa8c1e1f556d0294f3dd31feb3be37d5ee83d099
Instruction ID: 3d52535fc506ce0653277a16df667fe4a662240359cd426cfd664b962842d48e
Opcode Fuzzy Hash: 372203e21023628ee1d7535baa8c1e1f556d0294f3dd31feb3be37d5ee83d099
Instruction Fuzzy Hash: 63C108B14137468AE710EF64F8DC1C97BB1BB86328F71C208D1612BAD9D7B8144ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 07FA0006 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268309538.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fa0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496e3bffc9a37b68089088e85fa7fd3da9ed4210d350a8409bd54ddeb8d03864
Instruction ID: 0393588ed8489f7f15982c2b38df6d6cf278fd20f9d66874efd110e99e016dac
Opcode Fuzzy Hash: 496e3bffc9a37b68089088e85fa7fd3da9ed4210d350a8409bd54ddeb8d03864
Instruction Fuzzy Hash: 1F4162B1D056588BE719CF6B9D406CAFBF3AFC9210F09C1B6C44CAA225EB350A568F15

Uniqueness

Uniqueness Score: -1.00%

Function 07FA0040 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.268309538.0000000007FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07FA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7fa0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c67377062e35486640f97bface341b8b08f11d4b71e8a8823327e446f3fc4a
Instruction ID: b626100c8f962908185817e96d639244238be85535f18ee91a7ba4c7042e4dd7
Opcode Fuzzy Hash: f0c67377062e35486640f97bface341b8b08f11d4b71e8a8823327e446f3fc4a
Instruction Fuzzy Hash: 774131B1D416199BEB1CCF6B9D4079AFAF3AFC8200F18C1FA951CA6214EB754A918F11

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: payment copy.exePID: 1848, Parent PID: 6064COMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.1%
Total number of Nodes:	122
Total number of Limit Nodes:	8

Executed Functions

Function 06847F88 Relevance: 2.0, APIs: 1, Instructions: 526
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.542335263.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6840000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e838fc2e4a9d963cd4dd2fd30fb8358ce9d270190522c033c8afe796df3866d
Instruction ID: 63171817b18fca80ba9774548a49e00b9b35abcbdd9a4452a3c78c0def87447f
Opcode Fuzzy Hash: 9e838fc2e4a9d963cd4dd2fd30fb8358ce9d270190522c033c8afe796df3866d
Instruction Fuzzy Hash: 14129D70B002099FDB58EBB4D858BAE77B2AF88348F158429E506DB394DF78DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 03190868 Relevance: 1.8, APIs: 1, Instructions: 262
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 03190AFE

Memory Dump Source

Source File: 00000001.00000002.517584802.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3190000_payment copy.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 4b8a21aad613f8b4ce92d47589572ea3036e256e75850260b1bceb230241b9ce
Instruction ID: 19ff621f4197c59d86ea2a8f429b0fee484a418cd5dedf1228ab13a68a889e1f
Opcode Fuzzy Hash: 4b8a21aad613f8b4ce92d47589572ea3036e256e75850260b1bceb230241b9ce
Instruction Fuzzy Hash: 3281D371E002488FEF24DBA9D8847ADBBB8EF4E324F1444ABE519E7291D7349C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06918620 Relevance: 1.6, APIs: 1, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0691867F

Memory Dump Source

Source File: 00000001.00000002.542766037.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6910000_payment copy.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3298c2249680c0525d7f2c567fe4d93689637ddd8d27e5b0748b3221fa44b483
Instruction ID: a52e7dff10e79715843dc3b45f6d29c56083938f750ccfea1f9dcc550b0e0992
Opcode Fuzzy Hash: 3298c2249680c0525d7f2c567fe4d93689637ddd8d27e5b0748b3221fa44b483
Instruction Fuzzy Hash: 3D51C431B002099FDB44FBB4D848AAEB7B5FF88204B148A6AD5069F654EF74EC04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0691C120 Relevance: 1.6, APIs: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.542766037.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6910000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e239e4ed66121d81d002a66b0dd6af5b51d1aeeda1b7a6b7195d5eb41d799457
Instruction ID: 78f04c26e00bf9fbe70778734d3856a0f867ea5d932e4de12df2722c865d26df
Opcode Fuzzy Hash: e239e4ed66121d81d002a66b0dd6af5b51d1aeeda1b7a6b7195d5eb41d799457
Instruction Fuzzy Hash: 2A415572E0435A8FCB10DFA5C8443AEBBF5AF89310F25856AD544A7250EB78A841CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0319D70C Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0319D7E2

Memory Dump Source

Source File: 00000001.00000002.517584802.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3190000_payment copy.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a0793f7d8016bbf138d63d0a50538b1d6b5e618ece526877f5988a6216b53470
Instruction ID: 7a75a2b9d20b71e5ae0b1089f7fbaa48a4ba4a5136736944156923ed4bd44837
Opcode Fuzzy Hash: a0793f7d8016bbf138d63d0a50538b1d6b5e618ece526877f5988a6216b53470
Instruction Fuzzy Hash: 783125B5D002498FEF18CFA9D8957AEFBF1FB08314F14852AE815AB290D7749446CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0319B7D4 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 0319D7E2

Memory Dump Source

Source File: 00000001.00000002.517584802.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3190000_payment copy.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b9f5a4e1717ec0dc9fb35ea1f5c960d52631deed95c94cd645c2dfcaf5a81944
Instruction ID: 251b239550408016b0f00a9fb309f7ff424734057f4cce4bcbac86703c727e7a
Opcode Fuzzy Hash: b9f5a4e1717ec0dc9fb35ea1f5c960d52631deed95c94cd645c2dfcaf5a81944
Instruction Fuzzy Hash: 2C3134B0D042498FEF18CFA9D8957AEFBF1FB08314F14852AE815AB290D7749485CF92

Uniqueness

Uniqueness Score: -1.00%

Function 06917C78 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 06917D31

Memory Dump Source

Source File: 00000001.00000002.542766037.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6910000_payment copy.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3fb1a40effc8e39606093eef05e6a300912311c64a9720e956b75bd0c187c79e
Instruction ID: e045d9155dd098030227b0fde038d6a3d7d443ef9d6b15e8c9eb10ea930ad5e2
Opcode Fuzzy Hash: 3fb1a40effc8e39606093eef05e6a300912311c64a9720e956b75bd0c187c79e
Instruction Fuzzy Hash: 2531EEB5D002599FCB10CFEAC884A9EBFF5BF48310F24812AE819AB314C7749905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 069179C0 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 06917A74

Memory Dump Source

Source File: 00000001.00000002.542766037.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6910000_payment copy.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 96e1cd21e48c4bf42f987324186a0e6cfa02c74cfb2952f7d95642613179d285
Instruction ID: 03331f5e65313f6d04cb496d7caac5b442cadccffd9a9e4e19ec7797e8cb4c06
Opcode Fuzzy Hash: 96e1cd21e48c4bf42f987324186a0e6cfa02c74cfb2952f7d95642613179d285
Instruction Fuzzy Hash: D331F0B1D012499FDB00CF99C584B8EFFF5BF48314F29816AE409AB340C7B59985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031957DF Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 031958BA

Memory Dump Source

Source File: 00000001.00000002.517584802.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3190000_payment copy.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: f06e28681e58c7fe8c17b7cc72731ee531e3d7dad15f54f9fe045dc11d55dfae
Instruction ID: 0aa7671af0fbbfbbb91fe543f62d1353daa530294c997ac60ef250c83beec1e7
Opcode Fuzzy Hash: f06e28681e58c7fe8c17b7cc72731ee531e3d7dad15f54f9fe045dc11d55dfae
Instruction Fuzzy Hash: B221CA749003498FEB12DFA9E40A399BBF4EB0A304F1480ABD415A7240DB796509CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 03195832 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 031958BA

Memory Dump Source

Source File: 00000001.00000002.517584802.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3190000_payment copy.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: b60defda0b9c53d943a833b794ccc5ed2ab067aab5ac227e9d2ed6e633b1670b
Instruction ID: f18a0b1c53f1ac96a1761c23e9c645ed04373a8c044060c5ee89b3418b89cf6d
Opcode Fuzzy Hash: b60defda0b9c53d943a833b794ccc5ed2ab067aab5ac227e9d2ed6e633b1670b
Instruction Fuzzy Hash: BB2174B5D013898FDB12DFA9D54939EBBF4EB09314F1888AAD404B3600CB386505CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06918BA4 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0691C172), ref: 0691C25F

Memory Dump Source

Source File: 00000001.00000002.542766037.0000000006910000.00000040.00000800.00020000.00000000.sdmp, Offset: 06910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6910000_payment copy.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 6341e7d3e0cbebdf9108ee7a6bfabfd9d05969c2616bea675cb58eed8b2d0fe5
Instruction ID: d39d111c2aba84a3e5e06fc0a405e2fb6426f4d1faeba6a65d327df82993e8b6
Opcode Fuzzy Hash: 6341e7d3e0cbebdf9108ee7a6bfabfd9d05969c2616bea675cb58eed8b2d0fe5
Instruction Fuzzy Hash: A31133B1C046299BDB10CF9AC444BEEFBF4AB48320F15856AD814B7240D7B8A945CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 03195840 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEncodePointer.NTDLL(00000000), ref: 031958BA

Memory Dump Source

Source File: 00000001.00000002.517584802.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3190000_payment copy.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 7b53a9c250333d9f9928a144b94e2d0f11810d59ae85721bcea60c03956e7808
Instruction ID: 465d629dd5949ba944da3749e2b3bb9d4cee64e83323d95a14894d3034c0fac5
Opcode Fuzzy Hash: 7b53a9c250333d9f9928a144b94e2d0f11810d59ae85721bcea60c03956e7808
Instruction Fuzzy Hash: C11183B0D003898FEF21DFAAD40879EBBF8EB49314F1484AAD404B3600CB38A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03190A90 Relevance: 1.6, APIs: 1, Instructions: 52
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 03190AFE

Memory Dump Source

Source File: 00000001.00000002.517584802.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3190000_payment copy.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 6fc83ae6bd4c5d9f81422b24adf7674a8ce7eb7b8b6d2c16ed28b526bf8215ba
Instruction ID: d7675077c7a1677975bc4afe2e999c4bc8273a2c7900929627b6d6938d59d084
Opcode Fuzzy Hash: 6fc83ae6bd4c5d9f81422b24adf7674a8ce7eb7b8b6d2c16ed28b526bf8215ba
Instruction Fuzzy Hash: 8811F0B59002499FDB10CF9AD884BDEBFF8FF88324F14841AE519A7210C775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137D976 Relevance: 1.5, Instructions: 1453COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.509830545.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_137d000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802e8e32222de71400391d09d3c0e7156f66fdb432e0aa04bd1f7030237712e4
Instruction ID: 117d6956044df67685e00f51e7c5edf3cc00918a6ca97a7ba2c5255926ab1a64
Opcode Fuzzy Hash: 802e8e32222de71400391d09d3c0e7156f66fdb432e0aa04bd1f7030237712e4
Instruction Fuzzy Hash: 8862053244E7C18FCB278BB49C605953FB1AE1722471F02DBD884DF6A3D26D5A5AC722

Uniqueness

Uniqueness Score: -1.00%

Function 05BCF56F Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

k3<, xrefs: 05BCF576

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID: k3<
API String ID: 0-719725580
Opcode ID: 83e82d623f8f5e86246a09cf7e2224d023d0280bcdd7ff8b58b4dc011582afa5
Instruction ID: 78ef93a47ef778ffcb039e4bf8390eafaf6f0e2a4698137972a437f9df25068e
Opcode Fuzzy Hash: 83e82d623f8f5e86246a09cf7e2224d023d0280bcdd7ff8b58b4dc011582afa5
Instruction Fuzzy Hash: B8216071E0051A8FCB14DF68C8849BEBBB3FF84314F1581D9E615AB2A0CB34AC42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 03190B43 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 03190BA7

Memory Dump Source

Source File: 00000001.00000002.517584802.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3190000_payment copy.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 30ee8169a900dec0867f4e4db2e2d76826aa9616564ced6b301c71dc5a574fd7
Instruction ID: 8cbb140a658ea1ec91f40f85774529a4009bb53eb4ce3f471a8f5f0d4a9e5fa4
Opcode Fuzzy Hash: 30ee8169a900dec0867f4e4db2e2d76826aa9616564ced6b301c71dc5a574fd7
Instruction Fuzzy Hash: 2911F2B48002498FDB20CF9AD484BDEBFF4AB88324F14846AD459A3200C7B56544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03190B48 Relevance: 1.3, APIs: 1, Instructions: 41sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 03190BA7

Memory Dump Source

Source File: 00000001.00000002.517584802.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3190000_payment copy.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3a444e7154fa60f0eac6bb4606a95edf8b65c01da91497bedc09e428550611df
Instruction ID: a65cc288f2da37a3624969920d4e732d8ba5ef0a6c338dca48d6f7e725fe22fa
Opcode Fuzzy Hash: 3a444e7154fa60f0eac6bb4606a95edf8b65c01da91497bedc09e428550611df
Instruction Fuzzy Hash: 1911F0B5800259CFDB20CF9AD484BDEFFF4EB88328F14846AD559A7250C7B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0137DA81 Relevance: 1.2, Instructions: 1171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.509830545.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_137d000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05aec91688ccd45f69418e005feee2ba2536446c340c94d21be1cdeaefdb8288
Instruction ID: fca46eb7f8bf73ef7132f56495553a90476b06d0eaf14f4bc815e47cd65682c5
Opcode Fuzzy Hash: 05aec91688ccd45f69418e005feee2ba2536446c340c94d21be1cdeaefdb8288
Instruction Fuzzy Hash: 7642F23244E7C18FCB278B749C605963FB0AE1722471F02DBD884DF6A3D26D5A5AC762

Uniqueness

Uniqueness Score: -1.00%

Function 05BCE090 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e0a6f8eef128c7e9dfb2b0a9c314a7b7be81d6e90a751678bc3ef3b51bb06e
Instruction ID: 0b7683aa2cc522fac14b0c046c8a3fbbb8274720b5d3dcdf817e90187c28540f
Opcode Fuzzy Hash: 35e0a6f8eef128c7e9dfb2b0a9c314a7b7be81d6e90a751678bc3ef3b51bb06e
Instruction Fuzzy Hash: 7E515831314111CFDB15DF39D888A6ABBEAFF8865071A85E9E416CF3A1DB30EC118B64

Uniqueness

Uniqueness Score: -1.00%

Function 05BCF384 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993ac0099d426297c9c948b1dca9359c703ae4567667aa91489a7c47ec586226
Instruction ID: 67b9b41e84e312d450e31d9a2f8e18dfaf477faf1d873403bbbc40b11a52793a
Opcode Fuzzy Hash: 993ac0099d426297c9c948b1dca9359c703ae4567667aa91489a7c47ec586226
Instruction Fuzzy Hash: CC31E0367041049FCB18AB74D8546AEBBE7EFCD215F1580A9D50ADB394DF70EC0287A1

Uniqueness

Uniqueness Score: -1.00%

Function 05BCFEC0 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1f467ed0589774ff66640f31447393e7663520e9a53e676054cda7f8a46bf8
Instruction ID: 122097a33b5d4dc43948e2ab042a083840dcba67a5372dbfb69449ee4cd71435
Opcode Fuzzy Hash: 7b1f467ed0589774ff66640f31447393e7663520e9a53e676054cda7f8a46bf8
Instruction Fuzzy Hash: 0231AD313046459FCB19EF29E858A7E3BA7FB89210B0480E9F906CB295CB34EC028765

Uniqueness

Uniqueness Score: -1.00%

Function 05BCF260 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbffc32783cbfec42def55726721a69b4dee266ba01a18c404602401cd07657
Instruction ID: 72b8328231e847a7b07c471f8e3728ece6c066286f89316eb21359ec33be197a
Opcode Fuzzy Hash: afbffc32783cbfec42def55726721a69b4dee266ba01a18c404602401cd07657
Instruction Fuzzy Hash: D231D5303086569FCB25DA64D894A7D7FA7FBC1640B1944EEE017CB2A1CB24EC80C796

Uniqueness

Uniqueness Score: -1.00%

Function 05BCE2E0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbc8350f29b4be29a0e954a5800da59c68a3ffae0fb5279c7e1c37688993a50
Instruction ID: 1fdf2da6e440f2643101e0ec2e5ad63fb6f0bbadc6934d796f7707084081794f
Opcode Fuzzy Hash: 0cbc8350f29b4be29a0e954a5800da59c68a3ffae0fb5279c7e1c37688993a50
Instruction Fuzzy Hash: 9D21AE303142168BEB1756359458A3E7A8FFFC4608F1440FCD602CB7A5DF69F881975A

Uniqueness

Uniqueness Score: -1.00%

Function 05BCE1D8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7bdc92fabb26ab44e77c25270848ac8ec2397ef941f132d33acf67c0c60796
Instruction ID: 0cbcc6e7503cd137c7d29d105d484399240eecf04f9fa12ba92c0b627efcfcf7
Opcode Fuzzy Hash: cc7bdc92fabb26ab44e77c25270848ac8ec2397ef941f132d33acf67c0c60796
Instruction Fuzzy Hash: C2216031318255CBD716CEAA9884B6BBFEEEB99210B4445EDF857CF240DB74EC408B64

Uniqueness

Uniqueness Score: -1.00%

Function 05BCE2D3 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6805fda4102dac990fcdd6525ab3f6909d4e9a37d753ea07643b6f0ea8f6cb94
Instruction ID: 68d218a39ef8980bcff53b329bcd5460bc6c121a7e7ee19e062eacd9199af395
Opcode Fuzzy Hash: 6805fda4102dac990fcdd6525ab3f6909d4e9a37d753ea07643b6f0ea8f6cb94
Instruction Fuzzy Hash: F821CF313006168BEB1757759889B3E6A8FFFC4508B0440FCD602CB7A5DB68F841975A

Uniqueness

Uniqueness Score: -1.00%

Function 0136D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.509357950.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_136d000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe71af0c69f800eb71519243cf28d878e616597ed8297e7bb54db318f938f62
Instruction ID: 3f81b492ce5824fc86fe55649574b5948616fb29eb21c9634bae3e2577e6a00c
Opcode Fuzzy Hash: 8fe71af0c69f800eb71519243cf28d878e616597ed8297e7bb54db318f938f62
Instruction Fuzzy Hash: 5A213AB1604244DFDB05CF94D9C0F26BF69FB8832CF24C569DA454B61AC336D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0137E3F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.509830545.000000000137D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0137D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_137d000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fefa4dd317c72038cc09d6eb5439d87f2485fdd8bd3af6c0b65528f50b34e37
Instruction ID: e4eb21687acb454852bcdd779d21a22659a5317e6b09f8d31b35ba57c19afefe
Opcode Fuzzy Hash: 0fefa4dd317c72038cc09d6eb5439d87f2485fdd8bd3af6c0b65528f50b34e37
Instruction Fuzzy Hash: B321F575608204DFDB25CF24D8C4B26BB65FB84318F24C9BDD9495B346C33ED846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 05BCFE28 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d8d7e02cd93f4b59acc8bae3f780ddd852cae5aad596f532c7723d2fa6e4f3
Instruction ID: 2beda3f0b8965c33482b018c4ce293d6396e19786d53f1d2c6a00461ba58efd7
Opcode Fuzzy Hash: d4d8d7e02cd93f4b59acc8bae3f780ddd852cae5aad596f532c7723d2fa6e4f3
Instruction Fuzzy Hash: 90110D75E0021A9FCB10EF99D844ABFFBBAFB88210F10446AE915E3241D7749A55CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0136D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.509357950.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_136d000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
Instruction ID: 8913ae5276e7dbd712d6f385c72be0e0bffb28c6e4b4a8bb28a880ffbe0126e4
Opcode Fuzzy Hash: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
Instruction Fuzzy Hash: 9D11D376504280CFCB12CF54D5C4B16BF71FB88328F28C6A9D9454B65BC33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05BCFE22 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3400c572d38434bea3e06d0354e03c4821c08de350dd864ca7e30b932cbd8f30
Instruction ID: f3f9694358a7563fd101dd4a17cd1e8d485c338f31bcc22f5d03c426df05276e
Opcode Fuzzy Hash: 3400c572d38434bea3e06d0354e03c4821c08de350dd864ca7e30b932cbd8f30
Instruction Fuzzy Hash: 0D1130B1E0021A9FCB10EFA9D8449FFBBB6FB88310F10456AE515E3244D7749A51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05BCDFE8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c955e161e7a0842e264082e53b934f136178982bd78b93949a4dc91e993d9099
Instruction ID: 252ff04484899ca56f9b300612258f011722a0690db0c7e13dc04ca92417f13d
Opcode Fuzzy Hash: c955e161e7a0842e264082e53b934f136178982bd78b93949a4dc91e993d9099
Instruction Fuzzy Hash: 17F09C313445118B97165A2E9455A2A7BDFFFC4A5131500FDE506C7371DEA5EC0187E8

Uniqueness

Uniqueness Score: -1.00%

Function 05BCF239 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1307799f09838fb8bd4d8ae2cb31b5db2edec47c95baa7a4d34b84d70460d5df
Instruction ID: 51c6e0a20641f98ca5f9a719404257d7bd089123d824e0752121d9dfd1f39fae
Opcode Fuzzy Hash: 1307799f09838fb8bd4d8ae2cb31b5db2edec47c95baa7a4d34b84d70460d5df
Instruction Fuzzy Hash: 5AE0C23A34D2098FDB0CAA65A98DB74BF37FB9016171801FFE507CD192E725A044CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05BCF229 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f87b4cd5eddd0b26445881850fcc93d0bfdb08135e439bd3cc9cc0d07b937b
Instruction ID: 1572e9e609f900ef138f5871bf88bf8025fe12640bce00e79801fa84cf22477b
Opcode Fuzzy Hash: e9f87b4cd5eddd0b26445881850fcc93d0bfdb08135e439bd3cc9cc0d07b937b
Instruction Fuzzy Hash: 5CE0263B20C1442BD722409E7C416F53F1DD2C22B470501EBF51CDB140D042A85683B9

Uniqueness

Uniqueness Score: -1.00%

Function 05BCF252 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.540230715.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5bc0000_payment copy.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdfacfbc96f9883a775be626ed3395e90db08a7730a3e71e5477131051a04b74
Instruction ID: fd730626ad64dff0c33cacffbc75e9fe76590692a7da87601d9baa5e768e6ef9
Opcode Fuzzy Hash: fdfacfbc96f9883a775be626ed3395e90db08a7730a3e71e5477131051a04b74
Instruction Fuzzy Hash: 09D05E7360C5143BE721408EAC41BB76A4ED3C13B5E1641EBF40C931809482AC8041A9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: WdFVsOe.exePID: 5864, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	119
Total number of Limit Nodes:	9

Executed Functions

Function 0142FCD8 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0142FE4A

Memory Dump Source

Source File: 0000000B.00000002.307284423.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1420000_WdFVsOe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 5991b1b3c63275f15a978e50c9f53205c80c9fcd182459131274ef05589dc96f
Instruction ID: 40a2f0eb7334d2334562e91c8947c995498848b1882116ea24b4cbf796fb0057
Opcode Fuzzy Hash: 5991b1b3c63275f15a978e50c9f53205c80c9fcd182459131274ef05589dc96f
Instruction Fuzzy Hash: A25101B1C00249AFDF11CFA9C884ACEBFB1BF48314F54816AE918AB221D7359895CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0142DE0C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0142FE4A

Memory Dump Source

Source File: 0000000B.00000002.307284423.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1420000_WdFVsOe.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: c572b2fd621f37fc555ca09f9b8e52a03409a44221a452173d76f25849b965bd
Instruction ID: 60c25f04b5ee9f8611c256115dcc565756a1283bf7494a48ca1efff399c36a0d
Opcode Fuzzy Hash: c572b2fd621f37fc555ca09f9b8e52a03409a44221a452173d76f25849b965bd
Instruction Fuzzy Hash: 1C51B0B1D103199FDB14CF9AC884ADEBFB5BF48314F64852AE819AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01425364 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01425421

Memory Dump Source

Source File: 0000000B.00000002.307284423.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1420000_WdFVsOe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: ee07bc5aba8f63c138666e02596a7cac44bb43d91b1f186fdc8c5fa05e829d12
Instruction ID: 564dab6682e83682fba9c65f2238987f73febb5466212052ab56c187766fddbc
Opcode Fuzzy Hash: ee07bc5aba8f63c138666e02596a7cac44bb43d91b1f186fdc8c5fa05e829d12
Instruction Fuzzy Hash: ED41D471D00229CBDB24DFA9C844BCEFBB5BF59309F60806AD418AB251DBB56946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01423DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01425421

Memory Dump Source

Source File: 0000000B.00000002.307284423.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1420000_WdFVsOe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6086c64f2c645f76bc4edb424edbe8361a76a59f82e618b6c260340e4a098d14
Instruction ID: 229651420e80d0c81999d03d39d201f96c30a02b598d64851909e3ab06fdc7a4
Opcode Fuzzy Hash: 6086c64f2c645f76bc4edb424edbe8361a76a59f82e618b6c260340e4a098d14
Instruction Fuzzy Hash: CE41F570D04228CBDB24DFA9C8447DEFBB1BF48308F50806AD418AB251D7B56946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01429840 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0142B8BE,?,?,?,?,?), ref: 0142B97F

Memory Dump Source

Source File: 0000000B.00000002.307284423.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1420000_WdFVsOe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 45e7089037011775610cb434959f9914acfaf0f150ccfe9938e01f700950083f
Instruction ID: 92c6ab36b6cd812bcd5e30fe6f60a9c2fe17a5b79da17aadefa7a14c887adec9
Opcode Fuzzy Hash: 45e7089037011775610cb434959f9914acfaf0f150ccfe9938e01f700950083f
Instruction Fuzzy Hash: 1A21E3B5900219AFDB10CF9AD484ADEBBF8EB48324F54841AE958A7310D774A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0142B8F2 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0142B8BE,?,?,?,?,?), ref: 0142B97F

Memory Dump Source

Source File: 0000000B.00000002.307284423.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1420000_WdFVsOe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6a7caf6aead93f34557fb3690bd82a43c6b7a40c40ac379f16486689967fee96
Instruction ID: d0bd9b8c61e13c3bae13a4a85bbed7e5cbfc035600342f3c98a1ea4cb929668b
Opcode Fuzzy Hash: 6a7caf6aead93f34557fb3690bd82a43c6b7a40c40ac379f16486689967fee96
Instruction Fuzzy Hash: BD21E2B5D002189FDB10CFA9D584BDEBBF4EB48324F14841AE954A3310D378A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 014294B8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01429991,00000800,00000000,00000000), ref: 01429BA2

Memory Dump Source

Source File: 0000000B.00000002.307284423.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1420000_WdFVsOe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c3479a2fed79dc5526ee17cdc6e087594b3a2c91e97c16896fd7ebab5f823bca
Instruction ID: 31e165c02b9353842252eaef8e799e406bb477e7d0d971cc80d7aa1a06587b66
Opcode Fuzzy Hash: c3479a2fed79dc5526ee17cdc6e087594b3a2c91e97c16896fd7ebab5f823bca
Instruction Fuzzy Hash: DB1133B69002188FDB10CF9AD444BDEFBF4BB88324F44842AD919A7200C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01429B30 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01429991,00000800,00000000,00000000), ref: 01429BA2

Memory Dump Source

Source File: 0000000B.00000002.307284423.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1420000_WdFVsOe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b128a3d568f9992102ec28d914acd13f6c401ec160dadc4e7da0e031464df8a9
Instruction ID: 2c476be2a3cfb31aa6ea5bf2b52ad60684dd848ab89e527ce5e88591e24f9ec2
Opcode Fuzzy Hash: b128a3d568f9992102ec28d914acd13f6c401ec160dadc4e7da0e031464df8a9
Instruction Fuzzy Hash: 0E1112B6D002198FDB10CF9AC544BDEBBF4BF88324F55842AD919A7600C778A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07488F50 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 07488FA8

Memory Dump Source

Source File: 0000000B.00000002.321552638.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7480000_WdFVsOe.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 79c8c9994f11ac9d551bbe993999629efb80c4b9fec195ccd2326bb88db380e3
Instruction ID: 96450d463105035b5aba152ff4c7f011cc5fd14c73ee2fa771aeea30ab76e31c
Opcode Fuzzy Hash: 79c8c9994f11ac9d551bbe993999629efb80c4b9fec195ccd2326bb88db380e3
Instruction Fuzzy Hash: 841145B1800209CFDB10DF9AC548BDEBBF8EF88324F14842AD968A7340C738A544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014298A8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01429916

Memory Dump Source

Source File: 0000000B.00000002.307284423.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1420000_WdFVsOe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 0fd0886b2e225caec04cc681a50f0273e2c729c9fc40ee45ed352f668f10e5cb
Instruction ID: 4760fa19380f5bc4d74ec7fb386793a77c7edc7da68df735fdd4bcc97c9c5a8f
Opcode Fuzzy Hash: 0fd0886b2e225caec04cc681a50f0273e2c729c9fc40ee45ed352f668f10e5cb
Instruction Fuzzy Hash: 1F11FDB6D002598BDB10CF9AC548BDEBBF5AF48328F54842AC469B7710D378A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 014298B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 01429916

Memory Dump Source

Source File: 0000000B.00000002.307284423.0000000001420000.00000040.00000800.00020000.00000000.sdmp, Offset: 01420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_1420000_WdFVsOe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 51a1ee4794405f67dfcf7aa4cfa6273a2a375fcdfa79e90ba8165e22da08119a
Instruction ID: 7bac44b00dedcde2b319bf5f623a211bc332b32d47ed38b50494628fe6f3fda9
Opcode Fuzzy Hash: 51a1ee4794405f67dfcf7aa4cfa6273a2a375fcdfa79e90ba8165e22da08119a
Instruction Fuzzy Hash: 7C110FB5D002598FDB10CF9AC448BDEFBF4EB88224F54842AD869A7710C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07488568 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 074885C5

Memory Dump Source

Source File: 0000000B.00000002.321552638.0000000007480000.00000040.00000800.00020000.00000000.sdmp, Offset: 07480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7480000_WdFVsOe.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ffced67f908c227f4230b7fcbd98073552dc6617624fe1ea3ecd026f7aa8d5f7
Instruction ID: aafb3e541fe53d99f2c3b30bc6a34804e16ca728de587abe987fe8ed61524342
Opcode Fuzzy Hash: ffced67f908c227f4230b7fcbd98073552dc6617624fe1ea3ecd026f7aa8d5f7
Instruction Fuzzy Hash: 4211D0B58002499FDB10DF9AC889BDFBFF8EB58324F14881AE954A7600C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0139D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.307128522.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_139d000_WdFVsOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80328cf5ace258dc835b297607d2a98afa79627fbeda5baeeec28f2d280c6b4a
Instruction ID: 9094e8610e325719377f9e0457165d15f0cd496bcd723c0ae594d302aa4e3b2e
Opcode Fuzzy Hash: 80328cf5ace258dc835b297607d2a98afa79627fbeda5baeeec28f2d280c6b4a
Instruction Fuzzy Hash: 852134B1608204DFDF15CFA4D8C5B26BB65FB84358F24C6A9D94A4B346C33AD807CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0139D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.307128522.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_139d000_WdFVsOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad1385ad2daba4563a37f3253dae980b99279ae4083f155043e3f36acfeabec
Instruction ID: 86d5b51af8857bb6ebb05a9ed89b20d9d4c00ba09c76f37e39f09d1c8fb34172
Opcode Fuzzy Hash: bad1385ad2daba4563a37f3253dae980b99279ae4083f155043e3f36acfeabec
Instruction Fuzzy Hash: 502137B1504204DFDF05CF94D5C1B26BB65FB84328F24C6ADD9894B246C33AD806CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0139D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.307128522.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_139d000_WdFVsOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
Instruction ID: 0b0a7c4e043aa20db90bc4e92d8a18db8ac447511f7734e79f4fc0411fc9f0d8
Opcode Fuzzy Hash: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
Instruction Fuzzy Hash: 54118B75904280DFDF12CF54D5C4B15BBB1FB84228F28C6AAD8894B696C33AD44ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0139D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.307128522.000000000139D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0139D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_139d000_WdFVsOe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
Instruction ID: afd366eb45ce86f2555d85cac1b2fdbfeeeda0022db42e46d0433cea44c649ad
Opcode Fuzzy Hash: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
Instruction Fuzzy Hash: B1118B75504280DFDB12CF58D5D4B15BBA1FB84328F28C6AAD8494B756C33AD44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report payment copy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WdFVsOe.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment copy.exe.log

C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe

C:\Users\user\AppData\Roaming\WdFVsOe\WdFVsOe.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
payment copy.exe

Function 018AFBEA Relevance: 1.7, APIs: 1, Instructions: 248
COMMON

Function 018AB6C1 Relevance: 6.1, APIs: 4, Instructions: 121
threadCOMMON

Function 018AB6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 018AFD38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 018A5364 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 018A3DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 018AB8F8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 018AB8F2 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 018A94B8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 018A9B30 Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Function 018A98B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 07FA8568 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre