Windows Analysis Report
September payments.exe

Overview

General Information

Sample name: September payments.exe
Analysis ID: 1527847
MD5: bddb3b5687c1e5c4bb89e38d406261d1
SHA1: aaf992182827d0493b478b9723fdcab48b1b509d
SHA256: b1fb20d5857d1ca65dbacd6cb100dc2d7da8eb7ce54d4faeebafb2bbb212beca
Tags: exeuser-adrian__luca
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Virustotal: Detection: 34% Perma Link
Multi AV Scanner detection for submitted file
Source: September payments.exe ReversingLabs: Detection: 60%
Source: September payments.exe Virustotal: Detection: 34% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: September payments.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: September payments.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: September payments.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: BmTE.pdb source: September payments.exe, YifGIcnmZiWfn.exe.0.dr
Source: Binary string: BmTE.pdbSHA256 source: September payments.exe, YifGIcnmZiWfn.exe.0.dr
Source: September payments.exe, 00000000.00000002.1369478980.0000000002ABB000.00000004.00000800.00020000.00000000.sdmp, YifGIcnmZiWfn.exe, 0000000E.00000002.1416021877.000000000295B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: September payments.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_00C1D5DC 0_2_00C1D5DC
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C807C0 0_2_06C807C0
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C807AF 0_2_06C807AF
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C894F0 0_2_06C894F0
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C875E8 0_2_06C875E8
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C875E3 0_2_06C875E3
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C89500 0_2_06C89500
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C80268 0_2_06C80268
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C80278 0_2_06C80278
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C890C8 0_2_06C890C8
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C871B0 0_2_06C871B0
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C88C90 0_2_06C88C90
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_00DBD5DC 14_2_00DBD5DC
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CD07C0 14_2_06CD07C0
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CD07AF 14_2_06CD07AF
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CD94F0 14_2_06CD94F0
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CD75E8 14_2_06CD75E8
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CD9500 14_2_06CD9500
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CD0268 14_2_06CD0268
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CD0278 14_2_06CD0278
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CD90C8 14_2_06CD90C8
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CD71B0 14_2_06CD71B0
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CD8C90 14_2_06CD8C90
Sample file is different than original file name gathered from version info
Source: September payments.exe, 00000000.00000000.1336830422.0000000000292000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBmTE.exeH vs September payments.exe
Source: September payments.exe, 00000000.00000002.1366385860.000000000088E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs September payments.exe
Source: September payments.exe, 00000000.00000002.1384220214.00000000099D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs September payments.exe
Source: September payments.exe, 00000000.00000002.1371329305.000000000409A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs September payments.exe
Source: September payments.exe Binary or memory string: OriginalFilenameBmTE.exeH vs September payments.exe
Uses 32bit PE files
Source: September payments.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: September payments.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YifGIcnmZiWfn.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, CLVLL99T6Oi59Tk1GW.cs Security API names: _0020.SetAccessControl
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, CLVLL99T6Oi59Tk1GW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, CLVLL99T6Oi59Tk1GW.cs Security API names: _0020.AddAccessRule
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, bBOVxW7S0gel36u4PX.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, CLVLL99T6Oi59Tk1GW.cs Security API names: _0020.SetAccessControl
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, CLVLL99T6Oi59Tk1GW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, CLVLL99T6Oi59Tk1GW.cs Security API names: _0020.AddAccessRule
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, bBOVxW7S0gel36u4PX.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, bBOVxW7S0gel36u4PX.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, CLVLL99T6Oi59Tk1GW.cs Security API names: _0020.SetAccessControl
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, CLVLL99T6Oi59Tk1GW.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, CLVLL99T6Oi59Tk1GW.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.evad.winEXE@35/15@0/0
Source: C:\Users\user\Desktop\September payments.exe File created: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Mutant created: \Sessions\1\BaseNamedObjects\eNvEqmiOoDtDQZUfTkSTDrmKNms
Source: C:\Users\user\Desktop\September payments.exe File created: C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp Jump to behavior
Source: September payments.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: September payments.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\September payments.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: September payments.exe, 00000000.00000000.1336830422.0000000000292000.00000002.00000001.01000000.00000003.sdmp, YifGIcnmZiWfn.exe.0.dr Binary or memory string: select * from [card] where [card].id = (select employees.[card] from employees where employees.id =quse employees; select [name] from department where id =
Source: September payments.exe ReversingLabs: Detection: 60%
Source: September payments.exe Virustotal: Detection: 34%
Source: C:\Users\user\Desktop\September payments.exe File read: C:\Users\user\Desktop\September payments.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\September payments.exe "C:\Users\user\Desktop\September payments.exe"
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\September payments.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: September payments.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: September payments.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: September payments.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: BmTE.pdb source: September payments.exe, YifGIcnmZiWfn.exe.0.dr
Source: Binary string: BmTE.pdbSHA256 source: September payments.exe, YifGIcnmZiWfn.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: September payments.exe, authorizationForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: YifGIcnmZiWfn.exe.0.dr, authorizationForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.September payments.exe.3882450.1.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.September payments.exe.6ae0000.4.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.September payments.exe.386a230.2.raw.unpack, MainForm.cs .Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, CLVLL99T6Oi59Tk1GW.cs .Net Code: CENhTv5NoE System.Reflection.Assembly.Load(byte[])
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, CLVLL99T6Oi59Tk1GW.cs .Net Code: CENhTv5NoE System.Reflection.Assembly.Load(byte[])
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, CLVLL99T6Oi59Tk1GW.cs .Net Code: CENhTv5NoE System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: September payments.exe Static PE information: 0xD20C92D2 [Tue Sep 2 11:49:38 2081 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\September payments.exe Code function: 0_2_06C88800 pushfd ; retf 0006h 0_2_06C88802
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CDCB30 push eax; ret 14_2_06CDCB31
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Code function: 14_2_06CDD802 pushad ; retf 14_2_06CDD831
Source: September payments.exe Static PE information: section name: .text entropy: 7.5939135879816275
Source: YifGIcnmZiWfn.exe.0.dr Static PE information: section name: .text entropy: 7.5939135879816275
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, m7r0yMa9Ti2J3ScCM9.cs High entropy of concatenated method names: 'FDdGULA5Km', 'Hc8Gu6vKCx', 'AkoFb6OGga', 'Fn1F5lt2Z6', 'cEMGYSIpY9', 'pWHGpKf8Sr', 'pPtGeP6t9V', 'eW9GDlrCmF', 'HM3GmXdbwG', 'T1pGlsbFGt'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, RJ9jlEDmJ8gZw5oo8O.cs High entropy of concatenated method names: 'QahLyaQjud', 'bshLpH6cPC', 'Ad1LDMQYOF', 'DPcLmX10GH', 'ttpLgGqnKA', 'j4kLQFBRWL', 'iWnLCZXnmv', 'wiUL60bhPN', 'mTgLSR9BTD', 'uRKLif1MaG'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, CLVLL99T6Oi59Tk1GW.cs High entropy of concatenated method names: 'jxxVN5FLwu', 'FZuVMV99IE', 'pVTVcR2uwb', 'dvfVPtQZYT', 'VQdVAqLgPL', 'TjYVKk1rxn', 'DeRVZggbgR', 'w4lV9GZbTd', 'RtmVIYRtbL', 'xFmVkGXY3x'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, jn3pd38o6HydlGk2jv.cs High entropy of concatenated method names: 'mYKKN1KFIr', 'XCEKceLdZR', 'JbuKAtukIa', 'r1yKZlSdaE', 'orJK9O2mYA', 'TJUAOH9Hv8', 'oFEAaF3IrX', 'Jy2AdO50IE', 'flsAUo3J5J', 'wtmA0weukl'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, flR3Wtu2gZG533jdYf.cs High entropy of concatenated method names: 'nLTt5eXJBM', 'SpOtVdA16F', 'qdrthkibSI', 'QwGtMeg3PR', 'CY7tc1KJ5o', 'yb7tAOFkoF', 'eu7tK9GOul', 'bf0FdYZLsg', 'TqGFUsr6KG', 'OrHF0plkOP'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, nnVNRT4c5sySiXXnA1.cs High entropy of concatenated method names: 'sauAX8Zeiw', 'UUvAjZXkkh', 'MJbPQP2lin', 'WxNPCG8cBF', 'HZMP6io1rC', 'S2FPSkJqPP', 'fSKPid8le1', 'KRTPnXu6sZ', 'OiJPrLB6SA', 'DkdPyRKitJ'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, k3g9ZncN9gMhaZC5gA.cs High entropy of concatenated method names: 'Dispose', 'fIi50d79i2', 'KubogEII4i', 'J5m33pojX9', 'vHl5um4psO', 'FPj5zUh7S4', 'ProcessDialogKey', 'xm8obn1kKc', 'jRVo50iH4M', 'lboooMlR3W'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, DnoOdX55MSVlywNWqFj.cs High entropy of concatenated method names: 'ToString', 'Uq32VPNthf', 'FMu2hkTSLv', 'Ghv2NqsdWh', 'fIv2MLAvJT', 'KU42cVpSMS', 'tAN2P8dfIi', 'bBD2AQaCKl', 'lc538ETVrY8gUNg1yJw', 'hqWGB9THGQqvl4RfZRh'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, FDW9O13LNeNN2ADGYN.cs High entropy of concatenated method names: 'BK4PEgjAID', 'IAXPqNPV6g', 'oYDP75D7oh', 'E7nP3wcFOh', 'nFnPLe6oRr', 'I1xPRA1SQ7', 'rV1PGMQt8D', 'r39PFsmu2n', 'NvIPtLBM1w', 'InKP2l3vfN'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, doTbPAw0AUeUPrUYUG.cs High entropy of concatenated method names: 'EWiGkHb2nW', 'MRaGvJKmlu', 'ToString', 'XdwGM1ZPaQ', 'TRDGc0QWk5', 'Sf7GPOd3yG', 'QtAGA45Ccw', 'I5GGK8XsGg', 'E9MGZ6HMAl', 'bsFG9REbML'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, GpM7jNiMoR3B8LQF5I.cs High entropy of concatenated method names: 'uubZMjhka3', 'G5RZPIb8Pb', 'zPsZKulXBy', 'BrtKumBLZe', 'fTNKzcNNHF', 'NaoZbE71bW', 'If3Z5YruDj', 'RNEZoVjTyy', 'pTqZVkFu2P', 'NDhZhX90ke'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, ptYaKU5boCJp9McaiEV.cs High entropy of concatenated method names: 'ItMtBZwTLj', 'IKXt1Ew0pt', 'MeytT3qCrG', 'JxXtEfXPrs', 'K7rtXVHpqP', 'yJktqAq8Gw', 'dVPtjTip0Z', 'shgt7SZrmG', 'XFOt3Wtanx', 'puat4XYreV'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, xlm4psUO4PjUh7S4Bm.cs High entropy of concatenated method names: 'EWoFM2cPsO', 'KcUFcdyPZQ', 'dSBFPWbP3x', 'AWwFAegq0H', 'ejoFKLZJX4', 'pkVFZ8m98K', 'Q0nF9aqByO', 'QLQFI9g8YN', 'kZDFkkGVAZ', 'u4LFvYrRZw'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, q0kGt9okAjtGPm0jl7.cs High entropy of concatenated method names: 'qTnTdYCPZ', 'XRrEQUjUv', 'AVEqvZcX4', 'CdQjk4Uk1', 'uds3VCRvH', 'kPI4XKCmp', 'VGYWLk3M8LZsO3U6jE', 'MccAO2DZJrckp0CVv5', 'Y5WFkHsHv', 'C8m2cKTEq'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, bBOVxW7S0gel36u4PX.cs High entropy of concatenated method names: 'E2QcDpURYV', 'eiTcm7TG08', 'X82cl9F797', 'XGWcwZYvD2', 'TgdcODaJjt', 'WOBca7Kjlu', 'qPvcdfQkiX', 'OZEcUF2CiO', 'XoGc0AABXE', 'iTjcu8q9Il'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, kuHYVfr0G6ndTFipQi.cs High entropy of concatenated method names: 'G9VZB8Yyqk', 'OgfZ1nSjQA', 'oHVZTPcdRj', 'b1xZEG1vrl', 'Cy2ZX2fj5v', 'OhHZqo1khM', 'cFkZjdac6g', 'x94Z7v8vil', 'yIcZ3lZ1kU', 'KRyZ4kuL0R'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, Gn1kKc0ZRV0iH4Mkbo.cs High entropy of concatenated method names: 'oksF80llDj', 'TFwFgwtyX0', 'UcTFQD2lS5', 'J23FCtZ8JR', 'r71FD7MxSL', 'tyaF6lkve8', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, gnFlTahpqRvcZEpWdR.cs High entropy of concatenated method names: 'hW55ZBOVxW', 'K0g59el36u', 'yLN5keNN2A', 'QGY5vNWnVN', 'BXn5LA1Zn3', 'Pd35Ro6Hyd', 'NR4pBUQS0PZOHZfPMb', 'r5rVhNf4WiI9pYsua3', 'FlQ55GnxHw', 'Mvg5VT22nT'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, eyntHx5VCUAEWgPjva2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dHS2DRliNe', 'Hm02m0tT9V', 'RAl2lvaLoi', 'YuS2wPYNtH', 'N4h2OUAj3J', 'kK92amnqkg', 'gyN2d4HGtN'
Source: 0.2.September payments.exe.99d0000.5.raw.unpack, jItbcceLl11vo3ORv1.cs High entropy of concatenated method names: 'mcVW73Nlrb', 'BfxW3hUUNA', 'HLuW8nHVNH', 'o8mWgs8iXZ', 'iyvWCH2nCt', 'iZqW6U0PAB', 'nvnWivPBUc', 'AiuWn45VeQ', 'PEZWybo5tV', 'E6mWYMeMOy'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, m7r0yMa9Ti2J3ScCM9.cs High entropy of concatenated method names: 'FDdGULA5Km', 'Hc8Gu6vKCx', 'AkoFb6OGga', 'Fn1F5lt2Z6', 'cEMGYSIpY9', 'pWHGpKf8Sr', 'pPtGeP6t9V', 'eW9GDlrCmF', 'HM3GmXdbwG', 'T1pGlsbFGt'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, RJ9jlEDmJ8gZw5oo8O.cs High entropy of concatenated method names: 'QahLyaQjud', 'bshLpH6cPC', 'Ad1LDMQYOF', 'DPcLmX10GH', 'ttpLgGqnKA', 'j4kLQFBRWL', 'iWnLCZXnmv', 'wiUL60bhPN', 'mTgLSR9BTD', 'uRKLif1MaG'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, CLVLL99T6Oi59Tk1GW.cs High entropy of concatenated method names: 'jxxVN5FLwu', 'FZuVMV99IE', 'pVTVcR2uwb', 'dvfVPtQZYT', 'VQdVAqLgPL', 'TjYVKk1rxn', 'DeRVZggbgR', 'w4lV9GZbTd', 'RtmVIYRtbL', 'xFmVkGXY3x'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, jn3pd38o6HydlGk2jv.cs High entropy of concatenated method names: 'mYKKN1KFIr', 'XCEKceLdZR', 'JbuKAtukIa', 'r1yKZlSdaE', 'orJK9O2mYA', 'TJUAOH9Hv8', 'oFEAaF3IrX', 'Jy2AdO50IE', 'flsAUo3J5J', 'wtmA0weukl'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, flR3Wtu2gZG533jdYf.cs High entropy of concatenated method names: 'nLTt5eXJBM', 'SpOtVdA16F', 'qdrthkibSI', 'QwGtMeg3PR', 'CY7tc1KJ5o', 'yb7tAOFkoF', 'eu7tK9GOul', 'bf0FdYZLsg', 'TqGFUsr6KG', 'OrHF0plkOP'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, nnVNRT4c5sySiXXnA1.cs High entropy of concatenated method names: 'sauAX8Zeiw', 'UUvAjZXkkh', 'MJbPQP2lin', 'WxNPCG8cBF', 'HZMP6io1rC', 'S2FPSkJqPP', 'fSKPid8le1', 'KRTPnXu6sZ', 'OiJPrLB6SA', 'DkdPyRKitJ'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, k3g9ZncN9gMhaZC5gA.cs High entropy of concatenated method names: 'Dispose', 'fIi50d79i2', 'KubogEII4i', 'J5m33pojX9', 'vHl5um4psO', 'FPj5zUh7S4', 'ProcessDialogKey', 'xm8obn1kKc', 'jRVo50iH4M', 'lboooMlR3W'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, DnoOdX55MSVlywNWqFj.cs High entropy of concatenated method names: 'ToString', 'Uq32VPNthf', 'FMu2hkTSLv', 'Ghv2NqsdWh', 'fIv2MLAvJT', 'KU42cVpSMS', 'tAN2P8dfIi', 'bBD2AQaCKl', 'lc538ETVrY8gUNg1yJw', 'hqWGB9THGQqvl4RfZRh'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, FDW9O13LNeNN2ADGYN.cs High entropy of concatenated method names: 'BK4PEgjAID', 'IAXPqNPV6g', 'oYDP75D7oh', 'E7nP3wcFOh', 'nFnPLe6oRr', 'I1xPRA1SQ7', 'rV1PGMQt8D', 'r39PFsmu2n', 'NvIPtLBM1w', 'InKP2l3vfN'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, doTbPAw0AUeUPrUYUG.cs High entropy of concatenated method names: 'EWiGkHb2nW', 'MRaGvJKmlu', 'ToString', 'XdwGM1ZPaQ', 'TRDGc0QWk5', 'Sf7GPOd3yG', 'QtAGA45Ccw', 'I5GGK8XsGg', 'E9MGZ6HMAl', 'bsFG9REbML'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, GpM7jNiMoR3B8LQF5I.cs High entropy of concatenated method names: 'uubZMjhka3', 'G5RZPIb8Pb', 'zPsZKulXBy', 'BrtKumBLZe', 'fTNKzcNNHF', 'NaoZbE71bW', 'If3Z5YruDj', 'RNEZoVjTyy', 'pTqZVkFu2P', 'NDhZhX90ke'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, ptYaKU5boCJp9McaiEV.cs High entropy of concatenated method names: 'ItMtBZwTLj', 'IKXt1Ew0pt', 'MeytT3qCrG', 'JxXtEfXPrs', 'K7rtXVHpqP', 'yJktqAq8Gw', 'dVPtjTip0Z', 'shgt7SZrmG', 'XFOt3Wtanx', 'puat4XYreV'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, xlm4psUO4PjUh7S4Bm.cs High entropy of concatenated method names: 'EWoFM2cPsO', 'KcUFcdyPZQ', 'dSBFPWbP3x', 'AWwFAegq0H', 'ejoFKLZJX4', 'pkVFZ8m98K', 'Q0nF9aqByO', 'QLQFI9g8YN', 'kZDFkkGVAZ', 'u4LFvYrRZw'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, q0kGt9okAjtGPm0jl7.cs High entropy of concatenated method names: 'qTnTdYCPZ', 'XRrEQUjUv', 'AVEqvZcX4', 'CdQjk4Uk1', 'uds3VCRvH', 'kPI4XKCmp', 'VGYWLk3M8LZsO3U6jE', 'MccAO2DZJrckp0CVv5', 'Y5WFkHsHv', 'C8m2cKTEq'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, bBOVxW7S0gel36u4PX.cs High entropy of concatenated method names: 'E2QcDpURYV', 'eiTcm7TG08', 'X82cl9F797', 'XGWcwZYvD2', 'TgdcODaJjt', 'WOBca7Kjlu', 'qPvcdfQkiX', 'OZEcUF2CiO', 'XoGc0AABXE', 'iTjcu8q9Il'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, kuHYVfr0G6ndTFipQi.cs High entropy of concatenated method names: 'G9VZB8Yyqk', 'OgfZ1nSjQA', 'oHVZTPcdRj', 'b1xZEG1vrl', 'Cy2ZX2fj5v', 'OhHZqo1khM', 'cFkZjdac6g', 'x94Z7v8vil', 'yIcZ3lZ1kU', 'KRyZ4kuL0R'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, Gn1kKc0ZRV0iH4Mkbo.cs High entropy of concatenated method names: 'oksF80llDj', 'TFwFgwtyX0', 'UcTFQD2lS5', 'J23FCtZ8JR', 'r71FD7MxSL', 'tyaF6lkve8', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, gnFlTahpqRvcZEpWdR.cs High entropy of concatenated method names: 'hW55ZBOVxW', 'K0g59el36u', 'yLN5keNN2A', 'QGY5vNWnVN', 'BXn5LA1Zn3', 'Pd35Ro6Hyd', 'NR4pBUQS0PZOHZfPMb', 'r5rVhNf4WiI9pYsua3', 'FlQ55GnxHw', 'Mvg5VT22nT'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, eyntHx5VCUAEWgPjva2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dHS2DRliNe', 'Hm02m0tT9V', 'RAl2lvaLoi', 'YuS2wPYNtH', 'N4h2OUAj3J', 'kK92amnqkg', 'gyN2d4HGtN'
Source: 0.2.September payments.exe.42d0c30.3.raw.unpack, jItbcceLl11vo3ORv1.cs High entropy of concatenated method names: 'mcVW73Nlrb', 'BfxW3hUUNA', 'HLuW8nHVNH', 'o8mWgs8iXZ', 'iyvWCH2nCt', 'iZqW6U0PAB', 'nvnWivPBUc', 'AiuWn45VeQ', 'PEZWybo5tV', 'E6mWYMeMOy'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, m7r0yMa9Ti2J3ScCM9.cs High entropy of concatenated method names: 'FDdGULA5Km', 'Hc8Gu6vKCx', 'AkoFb6OGga', 'Fn1F5lt2Z6', 'cEMGYSIpY9', 'pWHGpKf8Sr', 'pPtGeP6t9V', 'eW9GDlrCmF', 'HM3GmXdbwG', 'T1pGlsbFGt'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, RJ9jlEDmJ8gZw5oo8O.cs High entropy of concatenated method names: 'QahLyaQjud', 'bshLpH6cPC', 'Ad1LDMQYOF', 'DPcLmX10GH', 'ttpLgGqnKA', 'j4kLQFBRWL', 'iWnLCZXnmv', 'wiUL60bhPN', 'mTgLSR9BTD', 'uRKLif1MaG'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, CLVLL99T6Oi59Tk1GW.cs High entropy of concatenated method names: 'jxxVN5FLwu', 'FZuVMV99IE', 'pVTVcR2uwb', 'dvfVPtQZYT', 'VQdVAqLgPL', 'TjYVKk1rxn', 'DeRVZggbgR', 'w4lV9GZbTd', 'RtmVIYRtbL', 'xFmVkGXY3x'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, jn3pd38o6HydlGk2jv.cs High entropy of concatenated method names: 'mYKKN1KFIr', 'XCEKceLdZR', 'JbuKAtukIa', 'r1yKZlSdaE', 'orJK9O2mYA', 'TJUAOH9Hv8', 'oFEAaF3IrX', 'Jy2AdO50IE', 'flsAUo3J5J', 'wtmA0weukl'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, flR3Wtu2gZG533jdYf.cs High entropy of concatenated method names: 'nLTt5eXJBM', 'SpOtVdA16F', 'qdrthkibSI', 'QwGtMeg3PR', 'CY7tc1KJ5o', 'yb7tAOFkoF', 'eu7tK9GOul', 'bf0FdYZLsg', 'TqGFUsr6KG', 'OrHF0plkOP'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, nnVNRT4c5sySiXXnA1.cs High entropy of concatenated method names: 'sauAX8Zeiw', 'UUvAjZXkkh', 'MJbPQP2lin', 'WxNPCG8cBF', 'HZMP6io1rC', 'S2FPSkJqPP', 'fSKPid8le1', 'KRTPnXu6sZ', 'OiJPrLB6SA', 'DkdPyRKitJ'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, k3g9ZncN9gMhaZC5gA.cs High entropy of concatenated method names: 'Dispose', 'fIi50d79i2', 'KubogEII4i', 'J5m33pojX9', 'vHl5um4psO', 'FPj5zUh7S4', 'ProcessDialogKey', 'xm8obn1kKc', 'jRVo50iH4M', 'lboooMlR3W'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, DnoOdX55MSVlywNWqFj.cs High entropy of concatenated method names: 'ToString', 'Uq32VPNthf', 'FMu2hkTSLv', 'Ghv2NqsdWh', 'fIv2MLAvJT', 'KU42cVpSMS', 'tAN2P8dfIi', 'bBD2AQaCKl', 'lc538ETVrY8gUNg1yJw', 'hqWGB9THGQqvl4RfZRh'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, FDW9O13LNeNN2ADGYN.cs High entropy of concatenated method names: 'BK4PEgjAID', 'IAXPqNPV6g', 'oYDP75D7oh', 'E7nP3wcFOh', 'nFnPLe6oRr', 'I1xPRA1SQ7', 'rV1PGMQt8D', 'r39PFsmu2n', 'NvIPtLBM1w', 'InKP2l3vfN'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, doTbPAw0AUeUPrUYUG.cs High entropy of concatenated method names: 'EWiGkHb2nW', 'MRaGvJKmlu', 'ToString', 'XdwGM1ZPaQ', 'TRDGc0QWk5', 'Sf7GPOd3yG', 'QtAGA45Ccw', 'I5GGK8XsGg', 'E9MGZ6HMAl', 'bsFG9REbML'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, GpM7jNiMoR3B8LQF5I.cs High entropy of concatenated method names: 'uubZMjhka3', 'G5RZPIb8Pb', 'zPsZKulXBy', 'BrtKumBLZe', 'fTNKzcNNHF', 'NaoZbE71bW', 'If3Z5YruDj', 'RNEZoVjTyy', 'pTqZVkFu2P', 'NDhZhX90ke'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, ptYaKU5boCJp9McaiEV.cs High entropy of concatenated method names: 'ItMtBZwTLj', 'IKXt1Ew0pt', 'MeytT3qCrG', 'JxXtEfXPrs', 'K7rtXVHpqP', 'yJktqAq8Gw', 'dVPtjTip0Z', 'shgt7SZrmG', 'XFOt3Wtanx', 'puat4XYreV'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, xlm4psUO4PjUh7S4Bm.cs High entropy of concatenated method names: 'EWoFM2cPsO', 'KcUFcdyPZQ', 'dSBFPWbP3x', 'AWwFAegq0H', 'ejoFKLZJX4', 'pkVFZ8m98K', 'Q0nF9aqByO', 'QLQFI9g8YN', 'kZDFkkGVAZ', 'u4LFvYrRZw'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, q0kGt9okAjtGPm0jl7.cs High entropy of concatenated method names: 'qTnTdYCPZ', 'XRrEQUjUv', 'AVEqvZcX4', 'CdQjk4Uk1', 'uds3VCRvH', 'kPI4XKCmp', 'VGYWLk3M8LZsO3U6jE', 'MccAO2DZJrckp0CVv5', 'Y5WFkHsHv', 'C8m2cKTEq'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, bBOVxW7S0gel36u4PX.cs High entropy of concatenated method names: 'E2QcDpURYV', 'eiTcm7TG08', 'X82cl9F797', 'XGWcwZYvD2', 'TgdcODaJjt', 'WOBca7Kjlu', 'qPvcdfQkiX', 'OZEcUF2CiO', 'XoGc0AABXE', 'iTjcu8q9Il'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, kuHYVfr0G6ndTFipQi.cs High entropy of concatenated method names: 'G9VZB8Yyqk', 'OgfZ1nSjQA', 'oHVZTPcdRj', 'b1xZEG1vrl', 'Cy2ZX2fj5v', 'OhHZqo1khM', 'cFkZjdac6g', 'x94Z7v8vil', 'yIcZ3lZ1kU', 'KRyZ4kuL0R'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, Gn1kKc0ZRV0iH4Mkbo.cs High entropy of concatenated method names: 'oksF80llDj', 'TFwFgwtyX0', 'UcTFQD2lS5', 'J23FCtZ8JR', 'r71FD7MxSL', 'tyaF6lkve8', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, gnFlTahpqRvcZEpWdR.cs High entropy of concatenated method names: 'hW55ZBOVxW', 'K0g59el36u', 'yLN5keNN2A', 'QGY5vNWnVN', 'BXn5LA1Zn3', 'Pd35Ro6Hyd', 'NR4pBUQS0PZOHZfPMb', 'r5rVhNf4WiI9pYsua3', 'FlQ55GnxHw', 'Mvg5VT22nT'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, eyntHx5VCUAEWgPjva2.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'dHS2DRliNe', 'Hm02m0tT9V', 'RAl2lvaLoi', 'YuS2wPYNtH', 'N4h2OUAj3J', 'kK92amnqkg', 'gyN2d4HGtN'
Source: 0.2.September payments.exe.4358c50.0.raw.unpack, jItbcceLl11vo3ORv1.cs High entropy of concatenated method names: 'mcVW73Nlrb', 'BfxW3hUUNA', 'HLuW8nHVNH', 'o8mWgs8iXZ', 'iyvWCH2nCt', 'iZqW6U0PAB', 'nvnWivPBUc', 'AiuWn45VeQ', 'PEZWybo5tV', 'E6mWYMeMOy'
Drops PE files
Source: C:\Users\user\Desktop\September payments.exe File created: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: September payments.exe PID: 7628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YifGIcnmZiWfn.exe PID: 8148, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: 2840000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: 2660000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: 7220000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: 8220000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: 83C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: 93C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: 9A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: AA60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: BA60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Memory allocated: CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Memory allocated: 26E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Memory allocated: CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Memory allocated: 6D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Memory allocated: 7D60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Memory allocated: 7EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Memory allocated: 8EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Memory allocated: 9450000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Memory allocated: A450000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Memory allocated: B450000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\September payments.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5551 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 865 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7485 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\September payments.exe TID: 7648 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7944 Thread sleep count: 5551 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7952 Thread sleep count: 865 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8100 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8092 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe TID: 8176 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\September payments.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\September payments.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe"
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe"
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe" Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\September payments.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmpF1AE.tmp" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YifGIcnmZiWfn" /XML "C:\Users\user\AppData\Local\Temp\tmp304.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\September payments.exe Queries volume information: C:\Users\user\Desktop\September payments.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Queries volume information: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YifGIcnmZiWfn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\September payments.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1527847 Sample: September payments.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected AntiVM3 2->52 54 7 other signatures 2->54 7 September payments.exe 7 2->7         started        11 YifGIcnmZiWfn.exe 5 2->11         started        process3 file4 40 C:\Users\user\AppData\...\YifGIcnmZiWfn.exe, PE32 7->40 dropped 42 C:\...\YifGIcnmZiWfn.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmpF1AE.tmp, XML 7->44 dropped 46 C:\Users\user\...\September payments.exe.log, ASCII 7->46 dropped 56 Adds a directory exclusion to Windows Defender 7->56 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        26 5 other processes 7->26 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 20 schtasks.exe 1 11->20         started        22 vbc.exe 11->22         started        24 vbc.exe 11->24         started        28 3 other processes 11->28 signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 30 conhost.exe 13->30         started        32 WmiPrvSE.exe 13->32         started        34 conhost.exe 16->34         started        36 conhost.exe 18->36         started        38 conhost.exe 20->38         started        process8
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true