Windows Analysis Report
Payment TT Copy.PDF.exe

AI detected suspicious sample

Source: Yara match	File source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Payment TT Copy.PDF.exe

Joe Sandbox ML: detected

Source: Payment TT Copy.PDF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Payment TT Copy.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: vysx.pdb source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: Payment TT Copy.PDF.exe, 0000000D.00000002.2167161985.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment TT Copy.PDF.exe, Payment TT Copy.PDF.exe, 0000000D.00000002.2167161985.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: vysx.pdbSHA256 source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr

Source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Payment TT Copy.PDF.exe, 00000000.00000002.2127687121.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, VajtonZVfAG.exe, 0000000E.00000002.2177704253.0000000002E99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Payment TT Copy.PDF.exe
Source: initial sample	Static PE information: Filename: Payment TT Copy.PDF.exe

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_0042BFE3 NtClose,	13_2_0042BFE3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62B60 NtClose,LdrInitializeThunk,	13_2_00F62B60
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_00F62C70
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_00F62DF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F635C0 NtCreateMutant,LdrInitializeThunk,	13_2_00F635C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F64340 NtSetContextThread,	13_2_00F64340
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F64650 NtSuspendThread,	13_2_00F64650
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62AF0 NtWriteFile,	13_2_00F62AF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62AD0 NtReadFile,	13_2_00F62AD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62AB0 NtWaitForSingleObject,	13_2_00F62AB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62BF0 NtAllocateVirtualMemory,	13_2_00F62BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62BE0 NtQueryValueKey,	13_2_00F62BE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62BA0 NtEnumerateValueKey,	13_2_00F62BA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62B80 NtQueryInformationFile,	13_2_00F62B80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62CF0 NtOpenProcess,	13_2_00F62CF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62CC0 NtQueryVirtualMemory,	13_2_00F62CC0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62CA0 NtQueryInformationToken,	13_2_00F62CA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62C60 NtCreateKey,	13_2_00F62C60
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62C00 NtQueryInformationProcess,	13_2_00F62C00
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62DD0 NtDelayExecution,	13_2_00F62DD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62DB0 NtEnumerateKey,	13_2_00F62DB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62D30 NtUnmapViewOfSection,	13_2_00F62D30
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62D10 NtMapViewOfSection,	13_2_00F62D10
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62D00 NtSetInformationFile,	13_2_00F62D00
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62EE0 NtQueueApcThread,	13_2_00F62EE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62EA0 NtAdjustPrivilegesToken,	13_2_00F62EA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62E80 NtReadVirtualMemory,	13_2_00F62E80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62E30 NtWriteVirtualMemory,	13_2_00F62E30
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62FE0 NtCreateFile,	13_2_00F62FE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62FB0 NtResumeThread,	13_2_00F62FB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62FA0 NtQuerySection,	13_2_00F62FA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62F90 NtProtectVirtualMemory,	13_2_00F62F90
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62F60 NtCreateProcessEx,	13_2_00F62F60
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62F30 NtCreateSection,	13_2_00F62F30
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F63090 NtSetValueKey,	13_2_00F63090
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F63010 NtOpenDirectoryObject,	13_2_00F63010
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F639B0 NtGetContextThread,	13_2_00F639B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F63D70 NtOpenThread,	13_2_00F63D70
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F63D10 NtOpenProcessToken,	13_2_00F63D10

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_0155DEEC	0_2_0155DEEC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B1900	0_2_075B1900
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B47B8	0_2_075B47B8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B6450	0_2_075B6450
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B6441	0_2_075B6441
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B4380	0_2_075B4380
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075BD0E8	0_2_075BD0E8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B6E00	0_2_075B6E00
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B4BF0	0_2_075B4BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B4BE0	0_2_075B4BE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B1982	0_2_075B1982
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B18EF	0_2_075B18EF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_0040F84A	13_2_0040F84A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_0040F853	13_2_0040F853
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_004010CA	13_2_004010CA
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_004010D0	13_2_004010D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_004161A3	13_2_004161A3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_0040FA73	13_2_0040FA73
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00401230	13_2_00401230
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_004022C0	13_2_004022C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_0040DAF3	13_2_0040DAF3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00402DC0	13_2_00402DC0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_0042E5B3	13_2_0042E5B3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00402640	13_2_00402640
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC2000	13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE81CC	13_2_00FE81CC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF01AA	13_2_00FF01AA
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE41A2	13_2_00FE41A2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB8158	13_2_00FB8158
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCA118	13_2_00FCA118
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F20100	13_2_00F20100
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB02C0	13_2_00FB02C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3E3F0	13_2_00F3E3F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF03E6	13_2_00FF03E6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEA352	13_2_00FEA352
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FDE4F6	13_2_00FDE4F6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE2446	13_2_00FE2446
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD4420	13_2_00FD4420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF0591	13_2_00FF0591
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30535	13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4C6E0	13_2_00F4C6E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2C7C0	13_2_00F2C7C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F54750	13_2_00F54750
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E8F0	13_2_00F5E8F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F168B8	13_2_00F168B8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3A840	13_2_00F3A840
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F32840	13_2_00F32840
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FFA9A6	13_2_00FFA9A6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F46962	13_2_00F46962
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2EA80	13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE6BD7	13_2_00FE6BD7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEAB40	13_2_00FEAB40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F20CF2	13_2_00F20CF2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0CB5	13_2_00FD0CB5
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30C00	13_2_00F30C00
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2ADE0	13_2_00F2ADE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F48DBF	13_2_00F48DBF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCCD1F	13_2_00FCCD1F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3AD00	13_2_00F3AD00
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEEEDB	13_2_00FEEEDB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F42E90	13_2_00F42E90
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FECE93	13_2_00FECE93
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30E59	13_2_00F30E59
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEEE26	13_2_00FEEE26
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3CFE0	13_2_00F3CFE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F22FC8	13_2_00F22FC8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAEFA0	13_2_00FAEFA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA4F40	13_2_00FA4F40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F50F30	13_2_00F50F30
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD2F30	13_2_00FD2F30
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F72F28	13_2_00F72F28
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE70E9	13_2_00FE70E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEF0E0	13_2_00FEF0E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FDF0CC	13_2_00FDF0CC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F370C0	13_2_00F370C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3B1B0	13_2_00F3B1B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1F172	13_2_00F1F172
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FFB16B	13_2_00FFB16B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F6516C	13_2_00F6516C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD12ED	13_2_00FD12ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4B2C0	13_2_00F4B2C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F352A0	13_2_00F352A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F7739A	13_2_00F7739A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1D34C	13_2_00F1D34C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE132D	13_2_00FE132D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F21460	13_2_00F21460
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEF43F	13_2_00FEF43F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF95C3	13_2_00FF95C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCD5B0	13_2_00FCD5B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE7571	13_2_00FE7571
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE16CC	13_2_00FE16CC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F75630	13_2_00F75630
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEF7B0	13_2_00FEF7B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F338E0	13_2_00F338E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9D800	13_2_00F9D800
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F39950	13_2_00F39950
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4B950	13_2_00F4B950
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC5910	13_2_00FC5910
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FDDAC6	13_2_00FDDAC6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCDAAC	13_2_00FCDAAC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F75AA0	13_2_00F75AA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD1AA3	13_2_00FD1AA3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA3A6C	13_2_00FA3A6C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEFA49	13_2_00FEFA49
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE7A46	13_2_00FE7A46
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA5BF0	13_2_00FA5BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F6DBF9	13_2_00F6DBF9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4FB80	13_2_00F4FB80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEFB76	13_2_00FEFB76
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEFCF2	13_2_00FEFCF2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA9C32	13_2_00FA9C32
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4FDC0	13_2_00F4FDC0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE7D73	13_2_00FE7D73
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE1D5A	13_2_00FE1D5A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F33D40	13_2_00F33D40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F39EB0	13_2_00F39EB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEFFB1	13_2_00FEFFB1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F31F92	13_2_00F31F92
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEFF09	13_2_00FEFF09
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_0132DEEC	14_2_0132DEEC
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_02D00040	14_2_02D00040
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_02D00007	14_2_02D00007
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_07391900	14_2_07391900
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_0739BF28	14_2_0739BF28
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_073947B8	14_2_073947B8
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_07396E00	14_2_07396E00
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_07396450	14_2_07396450
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_07396441	14_2_07396441
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_07394380	14_2_07394380
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_07394BF0	14_2_07394BF0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_07394BE0	14_2_07394BE0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_07391157	14_2_07391157
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_07391982	14_2_07391982
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_073918EF	14_2_073918EF
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017B0100	19_2_017B0100
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_01806000	19_2_01806000
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_018402C0	19_2_018402C0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C0535	19_2_017C0535
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C0770	19_2_017C0770
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017E4750	19_2_017E4750
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017BC7C0	19_2_017BC7C0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017DC6E0	19_2_017DC6E0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017D6962	19_2_017D6962
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C29A0	19_2_017C29A0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017CA840	19_2_017CA840
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C2840	19_2_017C2840
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017EE8F0	19_2_017EE8F0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017A68B8	19_2_017A68B8
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017F8890	19_2_017F8890
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017BEA80	19_2_017BEA80
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017CED7A	19_2_017CED7A
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017CAD00	19_2_017CAD00
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017BADE0	19_2_017BADE0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C8DC0	19_2_017C8DC0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017D8DBF	19_2_017D8DBF
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C0C00	19_2_017C0C00
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017B0CF2	19_2_017B0CF2
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_0183EFA0	19_2_0183EFA0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017E0F30	19_2_017E0F30
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_01802F28	19_2_01802F28
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017B2FC8	19_2_017B2FC8
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_01834F40	19_2_01834F40
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C0E59	19_2_017C0E59
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017D2E90	19_2_017D2E90
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017AF172	19_2_017AF172
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017F516C	19_2_017F516C
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017CB1B0	19_2_017CB1B0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017AD34C	19_2_017AD34C
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C33F3	19_2_017C33F3
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017DD2F0	19_2_017DD2F0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017DB2C0	19_2_017DB2C0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C52A0	19_2_017C52A0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017B1460	19_2_017B1460
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_018074E0	19_2_018074E0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C3497	19_2_017C3497
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017CB730	19_2_017CB730
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C9950	19_2_017C9950
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017DB950	19_2_017DB950
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C5990	19_2_017C5990
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_0182D800	19_2_0182D800
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C38E0	19_2_017C38E0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_01835BF0	19_2_01835BF0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017FDBF9	19_2_017FDBF9
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017DFB80	19_2_017DFB80
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_01833A6C	19_2_01833A6C
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C3D40	19_2_017C3D40
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017DFDC0	19_2_017DFDC0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017D9C20	19_2_017D9C20
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_01839C32	19_2_01839C32
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C1F92	19_2_017C1F92
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017C9EB0	19_2_017C9EB0

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: String function: 00F65130 appears 58 times
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: String function: 00FAF290 appears 105 times
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: String function: 00F77E54 appears 111 times
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: String function: 00F1B970 appears 280 times
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: String function: 00F9EA12 appears 86 times
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: String function: 0182EA12 appears 37 times
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: String function: 01807E54 appears 97 times

Source: Payment TT Copy.PDF.exe

Static PE information: invalid certificate

Source: Payment TT Copy.PDF.exe, 00000000.00000002.2147183357.0000000007F80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Payment TT Copy.PDF.exe
Source: Payment TT Copy.PDF.exe, 00000000.00000002.2146677318.0000000007AE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameh vs Payment TT Copy.PDF.exe
Source: Payment TT Copy.PDF.exe, 00000000.00000000.2097070980.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamevysx.exe> vs Payment TT Copy.PDF.exe
Source: Payment TT Copy.PDF.exe, 00000000.00000002.2116090602.000000000119E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment TT Copy.PDF.exe
Source: Payment TT Copy.PDF.exe, 0000000D.00000002.2167161985.000000000101D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment TT Copy.PDF.exe
Source: Payment TT Copy.PDF.exe	Binary or memory string: OriginalFilenamevysx.exe> vs Payment TT Copy.PDF.exe

Source: Payment TT Copy.PDF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Payment TT Copy.PDF.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VajtonZVfAG.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, dMEHjpgLgkpneUikvJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, RBypbDhhDrVS7AathM.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, RBypbDhhDrVS7AathM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, RBypbDhhDrVS7AathM.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, dMEHjpgLgkpneUikvJ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, RBypbDhhDrVS7AathM.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, RBypbDhhDrVS7AathM.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, RBypbDhhDrVS7AathM.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@30/15@0/0

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

File created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe

Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

File created: C:\Users\user\AppData\Local\Temp\tmp78CA.tmp

Source: Payment TT Copy.PDF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment TT Copy.PDF.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Payment TT Copy.PDF.exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

File read: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

Source: unknown	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp78CA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe C:\Users\user\AppData\Roaming\VajtonZVfAG.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp91A1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp78CA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp91A1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: Payment TT Copy.PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment TT Copy.PDF.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Payment TT Copy.PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: vysx.pdb source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: Payment TT Copy.PDF.exe, 0000000D.00000002.2167161985.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment TT Copy.PDF.exe, Payment TT Copy.PDF.exe, 0000000D.00000002.2167161985.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: vysx.pdbSHA256 source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr

Data Obfuscation

Source: Payment TT Copy.PDF.exe, MainForm.cs	.Net Code: InitializeComponent
Source: VajtonZVfAG.exe.0.dr, MainForm.cs	.Net Code: InitializeComponent
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, RBypbDhhDrVS7AathM.cs	.Net Code: hea2mJKgcR System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.5a00000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.2f7a208.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.2f6d9e0.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, RBypbDhhDrVS7AathM.cs	.Net Code: hea2mJKgcR System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.2fc9a1c.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.2fbc86c.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])

Source: Payment TT Copy.PDF.exe

Static PE information: 0xA55FACED [Sun Dec 2 09:27:09 2057 UTC]

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B04EB push ecx; ret	0_2_075B04EC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B1106 push ebx; retf	0_2_075B111A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 0_2_075B3DC7 push edx; ret	0_2_075B3DCB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00403040 push eax; ret	13_2_00403042
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00415040 push eax; iretd	13_2_00415043
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00406167 push ebp; ret	13_2_0040616B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00413560 push 00000076h; iretd	13_2_0041356F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_0041EF5B push ss; ret	13_2_0041EF97
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00423720 pushfd ; ret	13_2_00423738
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_0041EFB8 push ss; ret	13_2_0041EF97
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00EF225F pushad ; ret	13_2_00EF27F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00EF27FA pushad ; ret	13_2_00EF27F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00EF283D push eax; iretd	13_2_00EF2858
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F209AD push ecx; mov dword ptr [esp], ecx	13_2_00F209B6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00EF1368 push eax; iretd	13_2_00EF1369
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_02D0EB08 pushfd ; iretd	14_2_02D0EB09
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_07393DC8 push edx; ret	14_2_07393DCB
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 14_2_073904EB push ecx; ret	14_2_073904EC
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017FC54D pushfd ; ret	19_2_017FC54E
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017FC9D7 push edi; ret	19_2_017FC9D9
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_017B09AD push ecx; mov dword ptr [esp], ecx	19_2_017B09B6
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_01781FEC push eax; iretd	19_2_01781FED
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Code function: 19_2_01807E99 push ecx; ret	19_2_01807EAC

Source: Payment TT Copy.PDF.exe	Static PE information: section name: .text entropy: 7.841420186356563
Source: VajtonZVfAG.exe.0.dr	Static PE information: section name: .text entropy: 7.841420186356563

Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, Jom9LF10HHRdVrln7yk.cs	High entropy of concatenated method names: 'BDiO17HcrO', 'mdkOY9CXnK', 'DQNOmYDYZD', 'RK1OpGX9Ci', 'W45OeGobun', 'psAOWedCSk', 'Fe8OixokDF', 'a1yOVtHy8c', 'nqEOcSK0Cp', 'Ma6ObbPQa6'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, NynZVPIgXQvWDJeDSi.cs	High entropy of concatenated method names: 'lidmYnTf6', 'otWppmljF', 'YqWWVQ3Pn', 'GpWiYAC8D', 'r6wcXGceK', 'SiFb6qp7k', 'aFxNwlMr7Jf8Gwi77y', 'xInqIB8bijPtdX9voa', 'EUYn2YPXp', 'UbdkyiUIc'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, RBypbDhhDrVS7AathM.cs	High entropy of concatenated method names: 'K3nIQv2thQ', 'x8lIvmNFDG', 'XFVIq557Ds', 'DgeIKvJoNb', 'eJ5IDMn3xP', 'ergIrtSiFF', 'sTgIGhGX5O', 'Hj7IFbGJZY', 'cWfIP8UP21', 'PyoI35aoFD'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, dMEHjpgLgkpneUikvJ.cs	High entropy of concatenated method names: 'aZvq0I5BJS', 'CpFqjBbvuV', 'vZFqgji7in', 'lkrq8flCvc', 'uRlqN9S38I', 'bVaqHN35sI', 'ABqqoTJ6ay', 'fp0qCFYp04', 'GkaqAKYmgT', 'pTGq5oeIy6'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, y9FXtZZQduItxqIplZ.cs	High entropy of concatenated method names: 'Gt56M9UMOD', 'zys6RBWZIe', 'EZs60fHqIa', 'M6M6jBP0qA', 'QgS6x5IQhs', 'MSL6woAVYe', 'aRQ6S3KmPl', 'ktC64VVJvY', 'n0b6fXpBtw', 'xq16ht486k'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, xfyPKow3lFF1jNUg6r.cs	High entropy of concatenated method names: 'qlg7ChNIVW', 'L2r75OrsaN', 'Jdrnsh41x4', 'c0unygwmuI', 'DgN7J3RMYE', 'QGY7RrpjD5', 'hl37Zkvr4Q', 'PRj70SoaBM', 'Bsj7jlJKca', 'r1m7g1QdKI'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, Qxy3IX6wCrgnogBVFg.cs	High entropy of concatenated method names: 'ToString', 'MspBJvJRr7', 'CbRBxM2mFN', 'rULBwpsxZw', 'o3XBSQkpAb', 'r72B4WXYws', 'DQiBfYqPQS', 'vbgBhYqZKB', 'NvOBXJKu2s', 'a23BUqC8uR'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, M6ngbr5bXOptCR8PEO.cs	High entropy of concatenated method names: 'cQ6De8le3c', 'khtDipwSEl', 'Kr8Kwls2qK', 'PY5KSq5n42', 'IFdK44s8gf', 'Cb5KfK1fRH', 'KcSKh0AM0B', 'h9SKXBgJc3', 'qrpKU868GE', 'i9bKMt64K5'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, t9tVbiV0uPTUYfS1dW.cs	High entropy of concatenated method names: 'VhkrQiEtlO', 'KcLrqvWG3M', 'qfcrDfUAHv', 'qVBrGV512w', 'MSmrFPfg7S', 'vXoDNQatvg', 'tZkDHyVrQv', 'pAqDoGGLo4', 'JaiDCLUTXV', 'SOTDAXui2v'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, eCwvkyYw2voigtMyuf.cs	High entropy of concatenated method names: 'Dispose', 's4ZyAPMsJ3', 'QvGdxhFvTk', 'zXCll878ix', 'XXJy5ZA1CU', 'A2cyzvykD0', 'ProcessDialogKey', 'W4adsN6WRk', 'RmVdyp6ID0', 'iujddq2WKO'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, e44qn8M52P8GCkIp9P.cs	High entropy of concatenated method names: 'tCH73mH031', 'uUE79kDDow', 'ToString', 'pDE7vr93Te', 'RAe7q2EpmH', 'Xct7KaQxa0', 'eJK7Dpsq6w', 'X2s7r12t5y', 'bOj7GDb6TZ', 'HR97FIZDxC'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, hciy9U1fMqouS4CXbnu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OLtk0OPPJp', 'IafkjydZHR', 'BxBkg4w8uL', 'ypHk8SXlTb', 'NybkNYXFB4', 'hfNkHRnqjs', 'Bx7kox48Am'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, pPdWsx11eD9j2f3e7wZ.cs	High entropy of concatenated method names: 'ToString', 'QmIkINlAM0', 'r93k21VvJV', 'WmXkQfbhW2', 'S6FkvBEAOX', 'i5Hkq7UfKq', 'T6skKhrp76', 'xjvkDbbgcM', 'zPGFrQIesnxCkOfMAG7', 'dYYEdmIaPShsVNMccI9'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, Nou66DloiqYx4178FS.cs	High entropy of concatenated method names: 'MSDG1NOSyn', 'MakGYpXNWM', 'EAmGmjaLgC', 'qhCGpHbQXB', 'ws8Ge8Ymad', 'w3yGW0ykb1', 'bXwGieFxfh', 'CksGVbetye', 'QByGcigtIF', 'GD4GbcTF7P'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, C86G4ZDECc2GTFZTYL.cs	High entropy of concatenated method names: 'IdeKpyeZcu', 'OUTKWsnCvs', 'rmLKVFRbem', 'IUPKctApE3', 'i9xK6O5bnJ', 'zx2KBG4H94', 'rk5K7ek2hh', 'dAIKn9wJDG', 'DowKOfdC5A', 'nK3Kk7caqC'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, jZcqeZ3FX7MH3R5KrW.cs	High entropy of concatenated method names: 'splOyUZ5jP', 'TFAOIIFlW7', 'XU2O2UIe1t', 'ON4OvjJXAC', 'v9vOqUA5Fy', 'JDSODy7u6T', 'JAqOrYg1OY', 'AANnoSohip', 'KnOnCrWG6l', 'gcpnAYLOHv'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, lfkj82aySIExnQ9DGG.cs	High entropy of concatenated method names: 'yNBLVDBZsy', 'KYcLcmjnp5', 'SHsLTmZgSD', 'iqnLxptXkP', 'XapLSs1Lf8', 'PSZL42pGlj', 'RvPLhBkdJF', 'MaXLXClqQo', 'GuSLMcnQtX', 'knvLJBESEZ'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, VeVkon4uYBxlo0Z935.cs	High entropy of concatenated method names: 'eLHnTLpuv5', 'WhxnxrhLnB', 'X0EnwoyCJE', 'qfnnS9hIX4', 'hfPn0xInfR', 'fNKn4Fn2eu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, PfY4hhpdWPrhK6QVIP.cs	High entropy of concatenated method names: 'T0yGvd8HxM', 'h42GKUxQji', 'EsaGrQVKmn', 'wyjr5tYp4P', 'GltrzVwa1c', 'E2gGsxXlYF', 'EDsGyTOTGs', 'KHOGdwXBQc', 'gfiGIA8qK0', 'OWpG2mk7bN'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, zM8kKvzcu2nNZjrZbk.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YDxOLeArle', 'zqiO6WpSdL', 'QG7OB4fpwW', 'eIbO7HBUhu', 'QCnOnK4lNZ', 'Vu9OOD3WeG', 'm1IOkIRxwR'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, GiwBEN7EoeMMlMNy9T.cs	High entropy of concatenated method names: 'AoJyGdlIar', 'l8wyFvoPMS', 'TLLy3fiaVy', 'ic2y98ig4i', 'WyNy6XeVU9', 'FXyyBDyuTD', 'hP0bm0wfSj5VSkCi3K', 'poy3c9sNW1MRT8YYOK', 'c9myydolTV', 'du4yIeB3B4'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, Y6eTJPtAxoYndBNoX2.cs	High entropy of concatenated method names: 'MBtrEXUMnE', 'Sicr1pFo2F', 'HjCrmIU44a', 'kAVrpVwko8', 'FVKrWAMvqj', 'n8GriJ4gUQ', 'Llxrc0JH8y', 'xobrbvID7F', 'uKsFxmSdGUHuteDT76d', 'WpMQaJSRZn03nRYxlXB'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, mEyRMSiXZwHKbxKOdG.cs	High entropy of concatenated method names: 'g1PnvHs4IV', 'fVCnqsHDfu', 'EvVnKBDg3P', 'BdXnDfLfcn', 'j6hnr145Fm', 'SaCnGBc9uV', 'QAKnFWsGZY', 'FdEnPRDMO9', 'XXSn3JYpIn', 'EaWn9CgVcC'
Source: 0.2.Payment TT Copy.PDF.exe.5a00000.5.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Payment TT Copy.PDF.exe.5a00000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Payment TT Copy.PDF.exe.2f7a208.2.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Payment TT Copy.PDF.exe.2f7a208.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Payment TT Copy.PDF.exe.2f6d9e0.0.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Payment TT Copy.PDF.exe.2f6d9e0.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, Jom9LF10HHRdVrln7yk.cs	High entropy of concatenated method names: 'BDiO17HcrO', 'mdkOY9CXnK', 'DQNOmYDYZD', 'RK1OpGX9Ci', 'W45OeGobun', 'psAOWedCSk', 'Fe8OixokDF', 'a1yOVtHy8c', 'nqEOcSK0Cp', 'Ma6ObbPQa6'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, NynZVPIgXQvWDJeDSi.cs	High entropy of concatenated method names: 'lidmYnTf6', 'otWppmljF', 'YqWWVQ3Pn', 'GpWiYAC8D', 'r6wcXGceK', 'SiFb6qp7k', 'aFxNwlMr7Jf8Gwi77y', 'xInqIB8bijPtdX9voa', 'EUYn2YPXp', 'UbdkyiUIc'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, RBypbDhhDrVS7AathM.cs	High entropy of concatenated method names: 'K3nIQv2thQ', 'x8lIvmNFDG', 'XFVIq557Ds', 'DgeIKvJoNb', 'eJ5IDMn3xP', 'ergIrtSiFF', 'sTgIGhGX5O', 'Hj7IFbGJZY', 'cWfIP8UP21', 'PyoI35aoFD'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, dMEHjpgLgkpneUikvJ.cs	High entropy of concatenated method names: 'aZvq0I5BJS', 'CpFqjBbvuV', 'vZFqgji7in', 'lkrq8flCvc', 'uRlqN9S38I', 'bVaqHN35sI', 'ABqqoTJ6ay', 'fp0qCFYp04', 'GkaqAKYmgT', 'pTGq5oeIy6'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, y9FXtZZQduItxqIplZ.cs	High entropy of concatenated method names: 'Gt56M9UMOD', 'zys6RBWZIe', 'EZs60fHqIa', 'M6M6jBP0qA', 'QgS6x5IQhs', 'MSL6woAVYe', 'aRQ6S3KmPl', 'ktC64VVJvY', 'n0b6fXpBtw', 'xq16ht486k'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, xfyPKow3lFF1jNUg6r.cs	High entropy of concatenated method names: 'qlg7ChNIVW', 'L2r75OrsaN', 'Jdrnsh41x4', 'c0unygwmuI', 'DgN7J3RMYE', 'QGY7RrpjD5', 'hl37Zkvr4Q', 'PRj70SoaBM', 'Bsj7jlJKca', 'r1m7g1QdKI'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, Qxy3IX6wCrgnogBVFg.cs	High entropy of concatenated method names: 'ToString', 'MspBJvJRr7', 'CbRBxM2mFN', 'rULBwpsxZw', 'o3XBSQkpAb', 'r72B4WXYws', 'DQiBfYqPQS', 'vbgBhYqZKB', 'NvOBXJKu2s', 'a23BUqC8uR'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, M6ngbr5bXOptCR8PEO.cs	High entropy of concatenated method names: 'cQ6De8le3c', 'khtDipwSEl', 'Kr8Kwls2qK', 'PY5KSq5n42', 'IFdK44s8gf', 'Cb5KfK1fRH', 'KcSKh0AM0B', 'h9SKXBgJc3', 'qrpKU868GE', 'i9bKMt64K5'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, t9tVbiV0uPTUYfS1dW.cs	High entropy of concatenated method names: 'VhkrQiEtlO', 'KcLrqvWG3M', 'qfcrDfUAHv', 'qVBrGV512w', 'MSmrFPfg7S', 'vXoDNQatvg', 'tZkDHyVrQv', 'pAqDoGGLo4', 'JaiDCLUTXV', 'SOTDAXui2v'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, eCwvkyYw2voigtMyuf.cs	High entropy of concatenated method names: 'Dispose', 's4ZyAPMsJ3', 'QvGdxhFvTk', 'zXCll878ix', 'XXJy5ZA1CU', 'A2cyzvykD0', 'ProcessDialogKey', 'W4adsN6WRk', 'RmVdyp6ID0', 'iujddq2WKO'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, e44qn8M52P8GCkIp9P.cs	High entropy of concatenated method names: 'tCH73mH031', 'uUE79kDDow', 'ToString', 'pDE7vr93Te', 'RAe7q2EpmH', 'Xct7KaQxa0', 'eJK7Dpsq6w', 'X2s7r12t5y', 'bOj7GDb6TZ', 'HR97FIZDxC'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, hciy9U1fMqouS4CXbnu.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OLtk0OPPJp', 'IafkjydZHR', 'BxBkg4w8uL', 'ypHk8SXlTb', 'NybkNYXFB4', 'hfNkHRnqjs', 'Bx7kox48Am'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, pPdWsx11eD9j2f3e7wZ.cs	High entropy of concatenated method names: 'ToString', 'QmIkINlAM0', 'r93k21VvJV', 'WmXkQfbhW2', 'S6FkvBEAOX', 'i5Hkq7UfKq', 'T6skKhrp76', 'xjvkDbbgcM', 'zPGFrQIesnxCkOfMAG7', 'dYYEdmIaPShsVNMccI9'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, Nou66DloiqYx4178FS.cs	High entropy of concatenated method names: 'MSDG1NOSyn', 'MakGYpXNWM', 'EAmGmjaLgC', 'qhCGpHbQXB', 'ws8Ge8Ymad', 'w3yGW0ykb1', 'bXwGieFxfh', 'CksGVbetye', 'QByGcigtIF', 'GD4GbcTF7P'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, C86G4ZDECc2GTFZTYL.cs	High entropy of concatenated method names: 'IdeKpyeZcu', 'OUTKWsnCvs', 'rmLKVFRbem', 'IUPKctApE3', 'i9xK6O5bnJ', 'zx2KBG4H94', 'rk5K7ek2hh', 'dAIKn9wJDG', 'DowKOfdC5A', 'nK3Kk7caqC'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, jZcqeZ3FX7MH3R5KrW.cs	High entropy of concatenated method names: 'splOyUZ5jP', 'TFAOIIFlW7', 'XU2O2UIe1t', 'ON4OvjJXAC', 'v9vOqUA5Fy', 'JDSODy7u6T', 'JAqOrYg1OY', 'AANnoSohip', 'KnOnCrWG6l', 'gcpnAYLOHv'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, lfkj82aySIExnQ9DGG.cs	High entropy of concatenated method names: 'yNBLVDBZsy', 'KYcLcmjnp5', 'SHsLTmZgSD', 'iqnLxptXkP', 'XapLSs1Lf8', 'PSZL42pGlj', 'RvPLhBkdJF', 'MaXLXClqQo', 'GuSLMcnQtX', 'knvLJBESEZ'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, VeVkon4uYBxlo0Z935.cs	High entropy of concatenated method names: 'eLHnTLpuv5', 'WhxnxrhLnB', 'X0EnwoyCJE', 'qfnnS9hIX4', 'hfPn0xInfR', 'fNKn4Fn2eu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, PfY4hhpdWPrhK6QVIP.cs	High entropy of concatenated method names: 'T0yGvd8HxM', 'h42GKUxQji', 'EsaGrQVKmn', 'wyjr5tYp4P', 'GltrzVwa1c', 'E2gGsxXlYF', 'EDsGyTOTGs', 'KHOGdwXBQc', 'gfiGIA8qK0', 'OWpG2mk7bN'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, zM8kKvzcu2nNZjrZbk.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YDxOLeArle', 'zqiO6WpSdL', 'QG7OB4fpwW', 'eIbO7HBUhu', 'QCnOnK4lNZ', 'Vu9OOD3WeG', 'm1IOkIRxwR'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, GiwBEN7EoeMMlMNy9T.cs	High entropy of concatenated method names: 'AoJyGdlIar', 'l8wyFvoPMS', 'TLLy3fiaVy', 'ic2y98ig4i', 'WyNy6XeVU9', 'FXyyBDyuTD', 'hP0bm0wfSj5VSkCi3K', 'poy3c9sNW1MRT8YYOK', 'c9myydolTV', 'du4yIeB3B4'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, Y6eTJPtAxoYndBNoX2.cs	High entropy of concatenated method names: 'MBtrEXUMnE', 'Sicr1pFo2F', 'HjCrmIU44a', 'kAVrpVwko8', 'FVKrWAMvqj', 'n8GriJ4gUQ', 'Llxrc0JH8y', 'xobrbvID7F', 'uKsFxmSdGUHuteDT76d', 'WpMQaJSRZn03nRYxlXB'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, mEyRMSiXZwHKbxKOdG.cs	High entropy of concatenated method names: 'g1PnvHs4IV', 'fVCnqsHDfu', 'EvVnKBDg3P', 'BdXnDfLfcn', 'j6hnr145Fm', 'SaCnGBc9uV', 'QAKnFWsGZY', 'FdEnPRDMO9', 'XXSn3JYpIn', 'EaWn9CgVcC'
Source: 0.2.Payment TT Copy.PDF.exe.2fc9a1c.1.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Payment TT Copy.PDF.exe.2fc9a1c.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Payment TT Copy.PDF.exe.2fbc86c.3.raw.unpack, kD0JNdgNBriBGn5egS.cs	High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Payment TT Copy.PDF.exe.2fbc86c.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs	High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

File created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp78CA.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.exe

Static PE information: Payment TT Copy.PDF.exe

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Payment TT Copy.PDF.exe PID: 5632, type: MEMORYSTR

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Memory allocated: 1510000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Memory allocated: 2F30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Memory allocated: 2E60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Memory allocated: 8150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Memory allocated: 9150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Memory allocated: 9310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Memory allocated: A310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Memory allocated: 2E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Memory allocated: 4E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Memory allocated: 7B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Memory allocated: 8B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Memory allocated: 8D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Memory allocated: 9D10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

Code function: 13_2_00F6096E rdtsc

13_2_00F6096E

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2995			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4325			Jump to behavior

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	API coverage: 0.6 %
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	API coverage: 0.3 %

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe TID: 2940	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5636	Thread sleep count: 2995 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6052	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2444	Thread sleep count: 87 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1548	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5904	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6772	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe TID: 5812	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe TID: 3300	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe TID: 2940	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Payment TT Copy.PDF.exe, 00000000.00000002.2147183357.0000000007F80000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: QEMuI3f6HdgIrd9fgRr

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

Code function: 13_2_00F6096E rdtsc

13_2_00F6096E

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

Code function: 13_2_00417153 LdrLoadDll,

13_2_00417153

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1C0F0 mov eax, dword ptr fs:[00000030h]	13_2_00F1C0F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F620F0 mov ecx, dword ptr fs:[00000030h]	13_2_00F620F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1A0E3 mov ecx, dword ptr fs:[00000030h]	13_2_00F1A0E3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA60E0 mov eax, dword ptr fs:[00000030h]	13_2_00FA60E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F280E9 mov eax, dword ptr fs:[00000030h]	13_2_00F280E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA20DE mov eax, dword ptr fs:[00000030h]	13_2_00FA20DE
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE60B8 mov eax, dword ptr fs:[00000030h]	13_2_00FE60B8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE60B8 mov ecx, dword ptr fs:[00000030h]	13_2_00FE60B8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F180A0 mov eax, dword ptr fs:[00000030h]	13_2_00F180A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB80A8 mov eax, dword ptr fs:[00000030h]	13_2_00FB80A8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2208A mov eax, dword ptr fs:[00000030h]	13_2_00F2208A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4C073 mov eax, dword ptr fs:[00000030h]	13_2_00F4C073
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F22050 mov eax, dword ptr fs:[00000030h]	13_2_00F22050
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA6050 mov eax, dword ptr fs:[00000030h]	13_2_00FA6050
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB6030 mov eax, dword ptr fs:[00000030h]	13_2_00FB6030
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1A020 mov eax, dword ptr fs:[00000030h]	13_2_00F1A020
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1C020 mov eax, dword ptr fs:[00000030h]	13_2_00F1C020
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3E016 mov eax, dword ptr fs:[00000030h]	13_2_00F3E016
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3E016 mov eax, dword ptr fs:[00000030h]	13_2_00F3E016
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3E016 mov eax, dword ptr fs:[00000030h]	13_2_00F3E016
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3E016 mov eax, dword ptr fs:[00000030h]	13_2_00F3E016
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA4000 mov ecx, dword ptr fs:[00000030h]	13_2_00FA4000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h]	13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h]	13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h]	13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h]	13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h]	13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h]	13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h]	13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h]	13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F501F8 mov eax, dword ptr fs:[00000030h]	13_2_00F501F8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF61E5 mov eax, dword ptr fs:[00000030h]	13_2_00FF61E5
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E1D0 mov eax, dword ptr fs:[00000030h]	13_2_00F9E1D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E1D0 mov eax, dword ptr fs:[00000030h]	13_2_00F9E1D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E1D0 mov ecx, dword ptr fs:[00000030h]	13_2_00F9E1D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E1D0 mov eax, dword ptr fs:[00000030h]	13_2_00F9E1D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E1D0 mov eax, dword ptr fs:[00000030h]	13_2_00F9E1D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE61C3 mov eax, dword ptr fs:[00000030h]	13_2_00FE61C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE61C3 mov eax, dword ptr fs:[00000030h]	13_2_00FE61C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA019F mov eax, dword ptr fs:[00000030h]	13_2_00FA019F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA019F mov eax, dword ptr fs:[00000030h]	13_2_00FA019F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA019F mov eax, dword ptr fs:[00000030h]	13_2_00FA019F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA019F mov eax, dword ptr fs:[00000030h]	13_2_00FA019F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1A197 mov eax, dword ptr fs:[00000030h]	13_2_00F1A197
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1A197 mov eax, dword ptr fs:[00000030h]	13_2_00F1A197
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1A197 mov eax, dword ptr fs:[00000030h]	13_2_00F1A197
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F60185 mov eax, dword ptr fs:[00000030h]	13_2_00F60185
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FDC188 mov eax, dword ptr fs:[00000030h]	13_2_00FDC188
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FDC188 mov eax, dword ptr fs:[00000030h]	13_2_00FDC188
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC4180 mov eax, dword ptr fs:[00000030h]	13_2_00FC4180
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC4180 mov eax, dword ptr fs:[00000030h]	13_2_00FC4180
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4164 mov eax, dword ptr fs:[00000030h]	13_2_00FF4164
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4164 mov eax, dword ptr fs:[00000030h]	13_2_00FF4164
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB8158 mov eax, dword ptr fs:[00000030h]	13_2_00FB8158
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F26154 mov eax, dword ptr fs:[00000030h]	13_2_00F26154
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F26154 mov eax, dword ptr fs:[00000030h]	13_2_00F26154
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1C156 mov eax, dword ptr fs:[00000030h]	13_2_00F1C156
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB4144 mov eax, dword ptr fs:[00000030h]	13_2_00FB4144
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB4144 mov eax, dword ptr fs:[00000030h]	13_2_00FB4144
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB4144 mov ecx, dword ptr fs:[00000030h]	13_2_00FB4144
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB4144 mov eax, dword ptr fs:[00000030h]	13_2_00FB4144
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB4144 mov eax, dword ptr fs:[00000030h]	13_2_00FB4144
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F50124 mov eax, dword ptr fs:[00000030h]	13_2_00F50124
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCA118 mov ecx, dword ptr fs:[00000030h]	13_2_00FCA118
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCA118 mov eax, dword ptr fs:[00000030h]	13_2_00FCA118
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCA118 mov eax, dword ptr fs:[00000030h]	13_2_00FCA118
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCA118 mov eax, dword ptr fs:[00000030h]	13_2_00FCA118
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE0115 mov eax, dword ptr fs:[00000030h]	13_2_00FE0115
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h]	13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE10E mov ecx, dword ptr fs:[00000030h]	13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h]	13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h]	13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE10E mov ecx, dword ptr fs:[00000030h]	13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h]	13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h]	13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE10E mov ecx, dword ptr fs:[00000030h]	13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h]	13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE10E mov ecx, dword ptr fs:[00000030h]	13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F302E1 mov eax, dword ptr fs:[00000030h]	13_2_00F302E1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F302E1 mov eax, dword ptr fs:[00000030h]	13_2_00F302E1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F302E1 mov eax, dword ptr fs:[00000030h]	13_2_00F302E1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF62D6 mov eax, dword ptr fs:[00000030h]	13_2_00FF62D6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A2C3 mov eax, dword ptr fs:[00000030h]	13_2_00F2A2C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A2C3 mov eax, dword ptr fs:[00000030h]	13_2_00F2A2C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A2C3 mov eax, dword ptr fs:[00000030h]	13_2_00F2A2C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A2C3 mov eax, dword ptr fs:[00000030h]	13_2_00F2A2C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A2C3 mov eax, dword ptr fs:[00000030h]	13_2_00F2A2C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB62A0 mov eax, dword ptr fs:[00000030h]	13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB62A0 mov ecx, dword ptr fs:[00000030h]	13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB62A0 mov eax, dword ptr fs:[00000030h]	13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB62A0 mov eax, dword ptr fs:[00000030h]	13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB62A0 mov eax, dword ptr fs:[00000030h]	13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB62A0 mov eax, dword ptr fs:[00000030h]	13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E284 mov eax, dword ptr fs:[00000030h]	13_2_00F5E284
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E284 mov eax, dword ptr fs:[00000030h]	13_2_00F5E284
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA0283 mov eax, dword ptr fs:[00000030h]	13_2_00FA0283
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA0283 mov eax, dword ptr fs:[00000030h]	13_2_00FA0283
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA0283 mov eax, dword ptr fs:[00000030h]	13_2_00FA0283
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h]	13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F24260 mov eax, dword ptr fs:[00000030h]	13_2_00F24260
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F24260 mov eax, dword ptr fs:[00000030h]	13_2_00F24260
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F24260 mov eax, dword ptr fs:[00000030h]	13_2_00F24260
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1826B mov eax, dword ptr fs:[00000030h]	13_2_00F1826B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1A250 mov eax, dword ptr fs:[00000030h]	13_2_00F1A250
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF625D mov eax, dword ptr fs:[00000030h]	13_2_00FF625D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F26259 mov eax, dword ptr fs:[00000030h]	13_2_00F26259
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FDA250 mov eax, dword ptr fs:[00000030h]	13_2_00FDA250
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FDA250 mov eax, dword ptr fs:[00000030h]	13_2_00FDA250
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA8243 mov eax, dword ptr fs:[00000030h]	13_2_00FA8243
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA8243 mov ecx, dword ptr fs:[00000030h]	13_2_00FA8243
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1823B mov eax, dword ptr fs:[00000030h]	13_2_00F1823B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3E3F0 mov eax, dword ptr fs:[00000030h]	13_2_00F3E3F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3E3F0 mov eax, dword ptr fs:[00000030h]	13_2_00F3E3F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3E3F0 mov eax, dword ptr fs:[00000030h]	13_2_00F3E3F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F563FF mov eax, dword ptr fs:[00000030h]	13_2_00F563FF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h]	13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h]	13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h]	13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h]	13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h]	13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h]	13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h]	13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h]	13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE3DB mov eax, dword ptr fs:[00000030h]	13_2_00FCE3DB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE3DB mov eax, dword ptr fs:[00000030h]	13_2_00FCE3DB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE3DB mov ecx, dword ptr fs:[00000030h]	13_2_00FCE3DB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCE3DB mov eax, dword ptr fs:[00000030h]	13_2_00FCE3DB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC43D4 mov eax, dword ptr fs:[00000030h]	13_2_00FC43D4
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC43D4 mov eax, dword ptr fs:[00000030h]	13_2_00FC43D4
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FDC3CD mov eax, dword ptr fs:[00000030h]	13_2_00FDC3CD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F283C0 mov eax, dword ptr fs:[00000030h]	13_2_00F283C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F283C0 mov eax, dword ptr fs:[00000030h]	13_2_00F283C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F283C0 mov eax, dword ptr fs:[00000030h]	13_2_00F283C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F283C0 mov eax, dword ptr fs:[00000030h]	13_2_00F283C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA63C0 mov eax, dword ptr fs:[00000030h]	13_2_00FA63C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F18397 mov eax, dword ptr fs:[00000030h]	13_2_00F18397
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F18397 mov eax, dword ptr fs:[00000030h]	13_2_00F18397
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F18397 mov eax, dword ptr fs:[00000030h]	13_2_00F18397
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1E388 mov eax, dword ptr fs:[00000030h]	13_2_00F1E388
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1E388 mov eax, dword ptr fs:[00000030h]	13_2_00F1E388
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1E388 mov eax, dword ptr fs:[00000030h]	13_2_00F1E388
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4438F mov eax, dword ptr fs:[00000030h]	13_2_00F4438F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4438F mov eax, dword ptr fs:[00000030h]	13_2_00F4438F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC437C mov eax, dword ptr fs:[00000030h]	13_2_00FC437C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA035C mov eax, dword ptr fs:[00000030h]	13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA035C mov eax, dword ptr fs:[00000030h]	13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA035C mov eax, dword ptr fs:[00000030h]	13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA035C mov ecx, dword ptr fs:[00000030h]	13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA035C mov eax, dword ptr fs:[00000030h]	13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA035C mov eax, dword ptr fs:[00000030h]	13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEA352 mov eax, dword ptr fs:[00000030h]	13_2_00FEA352
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC8350 mov ecx, dword ptr fs:[00000030h]	13_2_00FC8350
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF634F mov eax, dword ptr fs:[00000030h]	13_2_00FF634F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h]	13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF8324 mov eax, dword ptr fs:[00000030h]	13_2_00FF8324
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF8324 mov ecx, dword ptr fs:[00000030h]	13_2_00FF8324
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF8324 mov eax, dword ptr fs:[00000030h]	13_2_00FF8324
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF8324 mov eax, dword ptr fs:[00000030h]	13_2_00FF8324
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1C310 mov ecx, dword ptr fs:[00000030h]	13_2_00F1C310
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F40310 mov ecx, dword ptr fs:[00000030h]	13_2_00F40310
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A30B mov eax, dword ptr fs:[00000030h]	13_2_00F5A30B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A30B mov eax, dword ptr fs:[00000030h]	13_2_00F5A30B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A30B mov eax, dword ptr fs:[00000030h]	13_2_00F5A30B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F204E5 mov ecx, dword ptr fs:[00000030h]	13_2_00F204E5
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F544B0 mov ecx, dword ptr fs:[00000030h]	13_2_00F544B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAA4B0 mov eax, dword ptr fs:[00000030h]	13_2_00FAA4B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F264AB mov eax, dword ptr fs:[00000030h]	13_2_00F264AB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FDA49A mov eax, dword ptr fs:[00000030h]	13_2_00FDA49A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4A470 mov eax, dword ptr fs:[00000030h]	13_2_00F4A470
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4A470 mov eax, dword ptr fs:[00000030h]	13_2_00F4A470
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4A470 mov eax, dword ptr fs:[00000030h]	13_2_00F4A470
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAC460 mov ecx, dword ptr fs:[00000030h]	13_2_00FAC460
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FDA456 mov eax, dword ptr fs:[00000030h]	13_2_00FDA456
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1645D mov eax, dword ptr fs:[00000030h]	13_2_00F1645D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4245A mov eax, dword ptr fs:[00000030h]	13_2_00F4245A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h]	13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h]	13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h]	13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h]	13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h]	13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h]	13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h]	13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h]	13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A430 mov eax, dword ptr fs:[00000030h]	13_2_00F5A430
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1E420 mov eax, dword ptr fs:[00000030h]	13_2_00F1E420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1E420 mov eax, dword ptr fs:[00000030h]	13_2_00F1E420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1E420 mov eax, dword ptr fs:[00000030h]	13_2_00F1E420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1C427 mov eax, dword ptr fs:[00000030h]	13_2_00F1C427
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h]	13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h]	13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h]	13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h]	13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h]	13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h]	13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h]	13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F58402 mov eax, dword ptr fs:[00000030h]	13_2_00F58402
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F58402 mov eax, dword ptr fs:[00000030h]	13_2_00F58402
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F58402 mov eax, dword ptr fs:[00000030h]	13_2_00F58402
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F225E0 mov eax, dword ptr fs:[00000030h]	13_2_00F225E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h]	13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h]	13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h]	13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h]	13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h]	13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h]	13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h]	13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h]	13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5C5ED mov eax, dword ptr fs:[00000030h]	13_2_00F5C5ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5C5ED mov eax, dword ptr fs:[00000030h]	13_2_00F5C5ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F265D0 mov eax, dword ptr fs:[00000030h]	13_2_00F265D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A5D0 mov eax, dword ptr fs:[00000030h]	13_2_00F5A5D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A5D0 mov eax, dword ptr fs:[00000030h]	13_2_00F5A5D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E5CF mov eax, dword ptr fs:[00000030h]	13_2_00F5E5CF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E5CF mov eax, dword ptr fs:[00000030h]	13_2_00F5E5CF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F445B1 mov eax, dword ptr fs:[00000030h]	13_2_00F445B1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F445B1 mov eax, dword ptr fs:[00000030h]	13_2_00F445B1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA05A7 mov eax, dword ptr fs:[00000030h]	13_2_00FA05A7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA05A7 mov eax, dword ptr fs:[00000030h]	13_2_00FA05A7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA05A7 mov eax, dword ptr fs:[00000030h]	13_2_00FA05A7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5E59C mov eax, dword ptr fs:[00000030h]	13_2_00F5E59C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F22582 mov eax, dword ptr fs:[00000030h]	13_2_00F22582
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F22582 mov ecx, dword ptr fs:[00000030h]	13_2_00F22582
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F54588 mov eax, dword ptr fs:[00000030h]	13_2_00F54588
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5656A mov eax, dword ptr fs:[00000030h]	13_2_00F5656A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5656A mov eax, dword ptr fs:[00000030h]	13_2_00F5656A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5656A mov eax, dword ptr fs:[00000030h]	13_2_00F5656A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F28550 mov eax, dword ptr fs:[00000030h]	13_2_00F28550
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F28550 mov eax, dword ptr fs:[00000030h]	13_2_00F28550
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h]	13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h]	13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h]	13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h]	13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h]	13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h]	13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E53E mov eax, dword ptr fs:[00000030h]	13_2_00F4E53E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E53E mov eax, dword ptr fs:[00000030h]	13_2_00F4E53E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E53E mov eax, dword ptr fs:[00000030h]	13_2_00F4E53E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E53E mov eax, dword ptr fs:[00000030h]	13_2_00F4E53E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E53E mov eax, dword ptr fs:[00000030h]	13_2_00F4E53E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB6500 mov eax, dword ptr fs:[00000030h]	13_2_00FB6500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h]	13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h]	13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h]	13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h]	13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h]	13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h]	13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h]	13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E6F2 mov eax, dword ptr fs:[00000030h]	13_2_00F9E6F2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E6F2 mov eax, dword ptr fs:[00000030h]	13_2_00F9E6F2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E6F2 mov eax, dword ptr fs:[00000030h]	13_2_00F9E6F2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E6F2 mov eax, dword ptr fs:[00000030h]	13_2_00F9E6F2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA06F1 mov eax, dword ptr fs:[00000030h]	13_2_00FA06F1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA06F1 mov eax, dword ptr fs:[00000030h]	13_2_00FA06F1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A6C7 mov ebx, dword ptr fs:[00000030h]	13_2_00F5A6C7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A6C7 mov eax, dword ptr fs:[00000030h]	13_2_00F5A6C7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F566B0 mov eax, dword ptr fs:[00000030h]	13_2_00F566B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5C6A6 mov eax, dword ptr fs:[00000030h]	13_2_00F5C6A6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F24690 mov eax, dword ptr fs:[00000030h]	13_2_00F24690
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F24690 mov eax, dword ptr fs:[00000030h]	13_2_00F24690
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F52674 mov eax, dword ptr fs:[00000030h]	13_2_00F52674
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE866E mov eax, dword ptr fs:[00000030h]	13_2_00FE866E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE866E mov eax, dword ptr fs:[00000030h]	13_2_00FE866E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A660 mov eax, dword ptr fs:[00000030h]	13_2_00F5A660
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A660 mov eax, dword ptr fs:[00000030h]	13_2_00F5A660
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3C640 mov eax, dword ptr fs:[00000030h]	13_2_00F3C640
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3E627 mov eax, dword ptr fs:[00000030h]	13_2_00F3E627
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F56620 mov eax, dword ptr fs:[00000030h]	13_2_00F56620
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F58620 mov eax, dword ptr fs:[00000030h]	13_2_00F58620
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2262C mov eax, dword ptr fs:[00000030h]	13_2_00F2262C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62619 mov eax, dword ptr fs:[00000030h]	13_2_00F62619
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E609 mov eax, dword ptr fs:[00000030h]	13_2_00F9E609
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h]	13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h]	13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h]	13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h]	13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h]	13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h]	13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h]	13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F247FB mov eax, dword ptr fs:[00000030h]	13_2_00F247FB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F247FB mov eax, dword ptr fs:[00000030h]	13_2_00F247FB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F427ED mov eax, dword ptr fs:[00000030h]	13_2_00F427ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F427ED mov eax, dword ptr fs:[00000030h]	13_2_00F427ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F427ED mov eax, dword ptr fs:[00000030h]	13_2_00F427ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAE7E1 mov eax, dword ptr fs:[00000030h]	13_2_00FAE7E1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2C7C0 mov eax, dword ptr fs:[00000030h]	13_2_00F2C7C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA07C3 mov eax, dword ptr fs:[00000030h]	13_2_00FA07C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F207AF mov eax, dword ptr fs:[00000030h]	13_2_00F207AF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD47A0 mov eax, dword ptr fs:[00000030h]	13_2_00FD47A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC678E mov eax, dword ptr fs:[00000030h]	13_2_00FC678E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F28770 mov eax, dword ptr fs:[00000030h]	13_2_00F28770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h]	13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F20750 mov eax, dword ptr fs:[00000030h]	13_2_00F20750
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62750 mov eax, dword ptr fs:[00000030h]	13_2_00F62750
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F62750 mov eax, dword ptr fs:[00000030h]	13_2_00F62750
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAE75D mov eax, dword ptr fs:[00000030h]	13_2_00FAE75D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA4755 mov eax, dword ptr fs:[00000030h]	13_2_00FA4755
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5674D mov esi, dword ptr fs:[00000030h]	13_2_00F5674D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5674D mov eax, dword ptr fs:[00000030h]	13_2_00F5674D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5674D mov eax, dword ptr fs:[00000030h]	13_2_00F5674D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5273C mov eax, dword ptr fs:[00000030h]	13_2_00F5273C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5273C mov ecx, dword ptr fs:[00000030h]	13_2_00F5273C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5273C mov eax, dword ptr fs:[00000030h]	13_2_00F5273C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9C730 mov eax, dword ptr fs:[00000030h]	13_2_00F9C730
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5C720 mov eax, dword ptr fs:[00000030h]	13_2_00F5C720
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5C720 mov eax, dword ptr fs:[00000030h]	13_2_00F5C720
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F20710 mov eax, dword ptr fs:[00000030h]	13_2_00F20710
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F50710 mov eax, dword ptr fs:[00000030h]	13_2_00F50710
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5C700 mov eax, dword ptr fs:[00000030h]	13_2_00F5C700
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5C8F9 mov eax, dword ptr fs:[00000030h]	13_2_00F5C8F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5C8F9 mov eax, dword ptr fs:[00000030h]	13_2_00F5C8F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEA8E4 mov eax, dword ptr fs:[00000030h]	13_2_00FEA8E4
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4E8C0 mov eax, dword ptr fs:[00000030h]	13_2_00F4E8C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF08C0 mov eax, dword ptr fs:[00000030h]	13_2_00FF08C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAC89D mov eax, dword ptr fs:[00000030h]	13_2_00FAC89D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F20887 mov eax, dword ptr fs:[00000030h]	13_2_00F20887
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAE872 mov eax, dword ptr fs:[00000030h]	13_2_00FAE872
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAE872 mov eax, dword ptr fs:[00000030h]	13_2_00FAE872
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB6870 mov eax, dword ptr fs:[00000030h]	13_2_00FB6870
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB6870 mov eax, dword ptr fs:[00000030h]	13_2_00FB6870
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F50854 mov eax, dword ptr fs:[00000030h]	13_2_00F50854
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F24859 mov eax, dword ptr fs:[00000030h]	13_2_00F24859
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F24859 mov eax, dword ptr fs:[00000030h]	13_2_00F24859
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F32840 mov ecx, dword ptr fs:[00000030h]	13_2_00F32840
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F42835 mov eax, dword ptr fs:[00000030h]	13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F42835 mov eax, dword ptr fs:[00000030h]	13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F42835 mov eax, dword ptr fs:[00000030h]	13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F42835 mov ecx, dword ptr fs:[00000030h]	13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F42835 mov eax, dword ptr fs:[00000030h]	13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F42835 mov eax, dword ptr fs:[00000030h]	13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5A830 mov eax, dword ptr fs:[00000030h]	13_2_00F5A830
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC483A mov eax, dword ptr fs:[00000030h]	13_2_00FC483A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC483A mov eax, dword ptr fs:[00000030h]	13_2_00FC483A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAC810 mov eax, dword ptr fs:[00000030h]	13_2_00FAC810
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F529F9 mov eax, dword ptr fs:[00000030h]	13_2_00F529F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F529F9 mov eax, dword ptr fs:[00000030h]	13_2_00F529F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAE9E0 mov eax, dword ptr fs:[00000030h]	13_2_00FAE9E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h]	13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F549D0 mov eax, dword ptr fs:[00000030h]	13_2_00F549D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEA9D3 mov eax, dword ptr fs:[00000030h]	13_2_00FEA9D3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB69C0 mov eax, dword ptr fs:[00000030h]	13_2_00FB69C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA89B3 mov esi, dword ptr fs:[00000030h]	13_2_00FA89B3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA89B3 mov eax, dword ptr fs:[00000030h]	13_2_00FA89B3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA89B3 mov eax, dword ptr fs:[00000030h]	13_2_00FA89B3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h]	13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F209AD mov eax, dword ptr fs:[00000030h]	13_2_00F209AD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F209AD mov eax, dword ptr fs:[00000030h]	13_2_00F209AD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC4978 mov eax, dword ptr fs:[00000030h]	13_2_00FC4978
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC4978 mov eax, dword ptr fs:[00000030h]	13_2_00FC4978
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAC97C mov eax, dword ptr fs:[00000030h]	13_2_00FAC97C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F46962 mov eax, dword ptr fs:[00000030h]	13_2_00F46962
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F46962 mov eax, dword ptr fs:[00000030h]	13_2_00F46962
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F46962 mov eax, dword ptr fs:[00000030h]	13_2_00F46962
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F6096E mov eax, dword ptr fs:[00000030h]	13_2_00F6096E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F6096E mov edx, dword ptr fs:[00000030h]	13_2_00F6096E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F6096E mov eax, dword ptr fs:[00000030h]	13_2_00F6096E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA0946 mov eax, dword ptr fs:[00000030h]	13_2_00FA0946
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4940 mov eax, dword ptr fs:[00000030h]	13_2_00FF4940
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FA892A mov eax, dword ptr fs:[00000030h]	13_2_00FA892A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB892B mov eax, dword ptr fs:[00000030h]	13_2_00FB892B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FAC912 mov eax, dword ptr fs:[00000030h]	13_2_00FAC912
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F18918 mov eax, dword ptr fs:[00000030h]	13_2_00F18918
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F18918 mov eax, dword ptr fs:[00000030h]	13_2_00F18918
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E908 mov eax, dword ptr fs:[00000030h]	13_2_00F9E908
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9E908 mov eax, dword ptr fs:[00000030h]	13_2_00F9E908
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5AAEE mov eax, dword ptr fs:[00000030h]	13_2_00F5AAEE
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5AAEE mov eax, dword ptr fs:[00000030h]	13_2_00F5AAEE
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F20AD0 mov eax, dword ptr fs:[00000030h]	13_2_00F20AD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F54AD0 mov eax, dword ptr fs:[00000030h]	13_2_00F54AD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F54AD0 mov eax, dword ptr fs:[00000030h]	13_2_00F54AD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F76ACC mov eax, dword ptr fs:[00000030h]	13_2_00F76ACC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F76ACC mov eax, dword ptr fs:[00000030h]	13_2_00F76ACC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F76ACC mov eax, dword ptr fs:[00000030h]	13_2_00F76ACC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F28AA0 mov eax, dword ptr fs:[00000030h]	13_2_00F28AA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F28AA0 mov eax, dword ptr fs:[00000030h]	13_2_00F28AA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F76AA4 mov eax, dword ptr fs:[00000030h]	13_2_00F76AA4
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F58A90 mov edx, dword ptr fs:[00000030h]	13_2_00F58A90
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h]	13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h]	13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h]	13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h]	13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h]	13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h]	13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h]	13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h]	13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h]	13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF4A80 mov eax, dword ptr fs:[00000030h]	13_2_00FF4A80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9CA72 mov eax, dword ptr fs:[00000030h]	13_2_00F9CA72
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9CA72 mov eax, dword ptr fs:[00000030h]	13_2_00F9CA72
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5CA6F mov eax, dword ptr fs:[00000030h]	13_2_00F5CA6F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5CA6F mov eax, dword ptr fs:[00000030h]	13_2_00F5CA6F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5CA6F mov eax, dword ptr fs:[00000030h]	13_2_00F5CA6F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCEA60 mov eax, dword ptr fs:[00000030h]	13_2_00FCEA60
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h]	13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h]	13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h]	13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h]	13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h]	13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h]	13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h]	13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30A5B mov eax, dword ptr fs:[00000030h]	13_2_00F30A5B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30A5B mov eax, dword ptr fs:[00000030h]	13_2_00F30A5B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F44A35 mov eax, dword ptr fs:[00000030h]	13_2_00F44A35
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F44A35 mov eax, dword ptr fs:[00000030h]	13_2_00F44A35
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5CA38 mov eax, dword ptr fs:[00000030h]	13_2_00F5CA38
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F5CA24 mov eax, dword ptr fs:[00000030h]	13_2_00F5CA24
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4EA2E mov eax, dword ptr fs:[00000030h]	13_2_00F4EA2E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FACA11 mov eax, dword ptr fs:[00000030h]	13_2_00FACA11
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F28BF0 mov eax, dword ptr fs:[00000030h]	13_2_00F28BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F28BF0 mov eax, dword ptr fs:[00000030h]	13_2_00F28BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F28BF0 mov eax, dword ptr fs:[00000030h]	13_2_00F28BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4EBFC mov eax, dword ptr fs:[00000030h]	13_2_00F4EBFC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FACBF0 mov eax, dword ptr fs:[00000030h]	13_2_00FACBF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCEBD0 mov eax, dword ptr fs:[00000030h]	13_2_00FCEBD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F40BCB mov eax, dword ptr fs:[00000030h]	13_2_00F40BCB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F40BCB mov eax, dword ptr fs:[00000030h]	13_2_00F40BCB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F40BCB mov eax, dword ptr fs:[00000030h]	13_2_00F40BCB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F20BCD mov eax, dword ptr fs:[00000030h]	13_2_00F20BCD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F20BCD mov eax, dword ptr fs:[00000030h]	13_2_00F20BCD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F20BCD mov eax, dword ptr fs:[00000030h]	13_2_00F20BCD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30BBE mov eax, dword ptr fs:[00000030h]	13_2_00F30BBE
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F30BBE mov eax, dword ptr fs:[00000030h]	13_2_00F30BBE
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD4BB0 mov eax, dword ptr fs:[00000030h]	13_2_00FD4BB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD4BB0 mov eax, dword ptr fs:[00000030h]	13_2_00FD4BB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F1CB7E mov eax, dword ptr fs:[00000030h]	13_2_00F1CB7E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F18B50 mov eax, dword ptr fs:[00000030h]	13_2_00F18B50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF2B57 mov eax, dword ptr fs:[00000030h]	13_2_00FF2B57
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF2B57 mov eax, dword ptr fs:[00000030h]	13_2_00FF2B57
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF2B57 mov eax, dword ptr fs:[00000030h]	13_2_00FF2B57
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FF2B57 mov eax, dword ptr fs:[00000030h]	13_2_00FF2B57
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FCEB50 mov eax, dword ptr fs:[00000030h]	13_2_00FCEB50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD4B4B mov eax, dword ptr fs:[00000030h]	13_2_00FD4B4B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FD4B4B mov eax, dword ptr fs:[00000030h]	13_2_00FD4B4B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB6B40 mov eax, dword ptr fs:[00000030h]	13_2_00FB6B40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FB6B40 mov eax, dword ptr fs:[00000030h]	13_2_00FB6B40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FEAB40 mov eax, dword ptr fs:[00000030h]	13_2_00FEAB40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FC8B42 mov eax, dword ptr fs:[00000030h]	13_2_00FC8B42
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4EB20 mov eax, dword ptr fs:[00000030h]	13_2_00F4EB20
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F4EB20 mov eax, dword ptr fs:[00000030h]	13_2_00F4EB20
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE8B28 mov eax, dword ptr fs:[00000030h]	13_2_00FE8B28
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00FE8B28 mov eax, dword ptr fs:[00000030h]	13_2_00FE8B28
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Code function: 13_2_00F9EB1D mov eax, dword ptr fs:[00000030h]	13_2_00F9EB1D

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

Memory allocated: page read and write | page guard

Adds a directory exclusion to Windows Defender

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Memory written: C:\Users\user\Desktop\Payment TT Copy.PDF.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Memory written: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp78CA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp91A1.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Queries volume information: C:\Users\user\Desktop\Payment TT Copy.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Queries volume information: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	11 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	13 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment TT Copy.PDF.exe	26%	ReversingLabs
Payment TT Copy.PDF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\VajtonZVfAG.exe	26%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Payment TT Copy.PDF.exe, 00000000.00000002.2127687121.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, VajtonZVfAG.exe, 0000000E.00000002.2177704253.0000000002E99000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519410
Start date and time:	2024-09-26 13:49:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment TT Copy.PDF.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@30/15@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 84 Number of non-executed functions: 298
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Payment TT Copy.PDF.exe

Simulations

Behavior and APIs

Time	Type	Description
07:49:54	API Interceptor	5x Sleep call for process: Payment TT Copy.PDF.exe modified
07:49:56	API Interceptor	42x Sleep call for process: powershell.exe modified
07:50:00	API Interceptor	5x Sleep call for process: VajtonZVfAG.exe modified
13:49:57	Task Scheduler	Run new task: VajtonZVfAG path: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe

Process:	C:\Users\user\Desktop\Payment TT Copy.PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VajtonZVfAG.exe.log

Process:	C:\Users\user\AppData\Roaming\VajtonZVfAG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379552885213346
Encrypted:	false
SSDEEP:	48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCsIfA2KRHmOugw1s
MD5:	3E5712DC6AFCA8CF60C5CB8BE65E2089
SHA1:	CDBAF3935912EFB05DBE58CA89C5422F07B528A0
SHA-256:	B9F7E5F0AFD718D8585A8B37DD8C459ECDD4E7E68C5FE61631D89CDD3E229833
SHA-512:	1BD81033EB26CD0EE3DEF6F02FECB4097D878D61CAA5BEF6739C51E889B99C9E695BECF51719959D33F7BA9838E202ADD7EE4DD704D5163B584F4E8B8B7ECC38
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2yu0mvov.uxz.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_40iq5yxn.xbt.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_menbhpka.bhk.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkuzewzp.b5d.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uaeimfvc.pa0.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ue55vztt.5ib.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfo1lbrm.54f.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zbkfjvgu.fsm.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp78CA.tmp

Process:	C:\Users\user\Desktop\Payment TT Copy.PDF.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1598
Entropy (8bit):	5.101916476784669
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLWxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTOv
MD5:	7F15481CC9759CAA240D53FD968653C2
SHA1:	DC58A4D09C98EF2A1DDA765E187146FFF9646883
SHA-256:	A35C6ADC31773BF3FB47B15E39C1A9B7E4E5300B79782472E69F6220A8E2C42B
SHA-512:	863DE34C13FD24D94855947132F013ECFB939CCB7E3E462C3C14ADEB8C3D59663C832F6DD4487EC327156A3DA33662592F74DBAD3DFA76F369719B631FB1E24F
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp91A1.tmp

Process:	C:\Users\user\AppData\Roaming\VajtonZVfAG.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1598
Entropy (8bit):	5.101916476784669
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLWxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTOv
MD5:	7F15481CC9759CAA240D53FD968653C2
SHA1:	DC58A4D09C98EF2A1DDA765E187146FFF9646883
SHA-256:	A35C6ADC31773BF3FB47B15E39C1A9B7E4E5300B79782472E69F6220A8E2C42B
SHA-512:	863DE34C13FD24D94855947132F013ECFB939CCB7E3E462C3C14ADEB8C3D59663C832F6DD4487EC327156A3DA33662592F74DBAD3DFA76F369719B631FB1E24F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\VajtonZVfAG.exe

Process:	C:\Users\user\Desktop\Payment TT Copy.PDF.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	730632
Entropy (8bit):	7.836147361019564
Encrypted:	false
SSDEEP:	12288:GLn5rgwI8n++Ta+CHouivf3ilYWObQPw0f5m8ce0tPPiT6IS8bQbpkR:GqwI8nvT2IuGfJ9XjeWiT/I0
MD5:	25E0C13B707F3EBCE3F35E806AC547D7
SHA1:	647C3A60022EAA64B8D43C92834F0D040F305CCF
SHA-256:	1A375DD13598CD93E502E68F84236B536B9333FC9F1F2DB88F2BBBBC67DD04C4
SHA-512:	013239CB462B87DBFC22D06E85F3D5DAA7F6999C1A12CA5CA66D07ACAE12FA92F80BF31BE7F6FE09658A39E1AB1AABA7EA6ADA50A17AA35C0655A46DC6D2803D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 26%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._...............0.................. ... ....@.. .......................`............@.................................`...O.... ...................6...@......H...p............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......tS..lE..............hR...........................................0..d.........}.....(.......(......s7...}.....sM...}.....sM...}.....sM...}......}......}.....~....}......(......0.............o....sO...}.....{.........,n...}.....{.....o......{.....o......{.....{....oI....{....o....X.{....oK....{....o....Xs....o.......(....}........0..Q..........o....sO...}.....{....,..{.......+....,&..{.....{.....{....oe.....{....o......*....0.............o....sO...}.....{....,..{....

C:\Users\user\AppData\Roaming\VajtonZVfAG.exe:Zone.Identifier

Process:	C:\Users\user\Desktop\Payment TT Copy.PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.836147361019564
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Payment TT Copy.PDF.exe
File size:	730'632 bytes
MD5:	25e0c13b707f3ebce3f35e806ac547d7
SHA1:	647c3a60022eaa64b8d43c92834f0d040f305ccf
SHA256:	1a375dd13598cd93e502e68f84236b536b9333fc9f1f2db88f2bbbbc67dd04c4
SHA512:	013239cb462b87dbfc22d06e85f3d5daa7f6999c1a12ca5ca66d07acae12fa92f80bf31be7f6fe09658a39e1ab1aaba7ea6ada50a17aa35c0655a46dc6d2803d
SSDEEP:	12288:GLn5rgwI8n++Ta+CHouivf3ilYWObQPw0f5m8ce0tPPiT6IS8bQbpkR:GqwI8nvT2IuGfJ9XjeWiT/I0
TLSH:	3EF412402152EA05E9921F740572D1F46779BE89A911C30BEFEABEEF7CBA3819941343
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...............0.................. ... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b04b2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA55FACED [Sun Dec 2 09:27:09 2057 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0460	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xaf000	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xaeb48	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xae4b8	0xae600	ba8d57ec4973fe1603d209d6cff0e57f	False	0.9316658266129032	OpenPGP Secret Key	7.841420186356563	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x5b4	0x600	d9bb5a338729011848bd3d6a64523dd2	False	0.421875	data	4.086513041250264	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	53b138fd1f66d7dbf195c57f660022b3	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb2090	0x324	data			0.43283582089552236
RT_MANIFEST	0xb23c4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	07:49:54
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\Payment TT Copy.PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Imagebase:	0xaf0000
File size:	730'632 bytes
MD5 hash:	25E0C13B707F3EBCE3F35E806AC547D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	07:49:55
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Imagebase:	0xd20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	07:49:55
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	07:49:55
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Imagebase:	0xd20000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	07:49:55
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	07:49:55
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp78CA.tmp"
Imagebase:	0x260000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	07:49:55
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	07:49:56
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\Payment TT Copy.PDF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Imagebase:	0x2d0000
File size:	730'632 bytes
MD5 hash:	25E0C13B707F3EBCE3F35E806AC547D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	07:49:56
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\Payment TT Copy.PDF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Imagebase:	0x10000
File size:	730'632 bytes
MD5 hash:	25E0C13B707F3EBCE3F35E806AC547D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	11
Start time:	07:49:56
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\Payment TT Copy.PDF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Imagebase:	0x100000
File size:	730'632 bytes
MD5 hash:	25E0C13B707F3EBCE3F35E806AC547D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	07:49:56
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\Payment TT Copy.PDF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Imagebase:	0x2d0000
File size:	730'632 bytes
MD5 hash:	25E0C13B707F3EBCE3F35E806AC547D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	13
Start time:	07:49:56
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\Payment TT Copy.PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Imagebase:	0x470000
File size:	730'632 bytes
MD5 hash:	25E0C13B707F3EBCE3F35E806AC547D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	14
Start time:	07:49:57
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\VajtonZVfAG.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\VajtonZVfAG.exe
Imagebase:	0x9b0000
File size:	730'632 bytes
MD5 hash:	25E0C13B707F3EBCE3F35E806AC547D7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 26%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	15
Start time:	07:49:59
Start date:	26/09/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	16
Start time:	07:50:01
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp91A1.tmp"
Imagebase:	0x260000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	17
Start time:	07:50:02
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	18
Start time:	07:50:02
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\VajtonZVfAG.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Imagebase:	0x10000
File size:	730'632 bytes
MD5 hash:	25E0C13B707F3EBCE3F35E806AC547D7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	19
Start time:	07:50:02
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\VajtonZVfAG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Imagebase:	0xce0000
File size:	730'632 bytes
MD5 hash:	25E0C13B707F3EBCE3F35E806AC547D7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	24
Start time:	07:50:40
Start date:	26/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7403e0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false