Windows Analysis Report
Payment details.exe

Overview

General Information

Sample name: Payment details.exe
Analysis ID: 1432054
MD5: d88a9970ec7a11ade4a6dfc3d8150496
SHA1: 90e72afbb1eed4c0f20fbc8a7ef5e3069ece0eef
SHA256: c159014c79f8dc4d7888b0c092286f9b47fb2b1497dfbfa7c0620d78257127e2
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.teddyjnr.com", "Username": "cs2@teddyjnr.com", "Password": "Lisa#2022!"}
Multi AV Scanner detection for submitted file
Source: Payment details.exe Virustotal: Detection: 70% Perma Link
Source: Payment details.exe ReversingLabs: Detection: 71%
Machine Learning detection for sample
Source: Payment details.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Payment details.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: Payment details.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Payment details.exe Code function: 4x nop then jmp 06BE0CC4h 0_2_06BE0211
Source: C:\Users\user\Desktop\Payment details.exe Code function: 4x nop then jmp 06BE0CC4h 0_2_06BE0364
Source: C:\Users\user\Desktop\Payment details.exe Code function: 4x nop then jmp 06BE0CC4h 0_2_06BE0AA9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49713 -> 50.87.145.190:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.8:49713 -> 50.87.145.190:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: mail.teddyjnr.com
Source: Payment details.exe, 00000003.00000002.2712719850.00000000030BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.teddyjnr.com
Source: Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710777307.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710777307.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: Payment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2717708671.0000000006B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Payment details.exe, 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Payment details.exe, 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmp, Payment details.exe, 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Payment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Payment details.exe, 00000003.00000002.2712719850.0000000003041000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49711 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, 7KG.cs .Net Code: VWsZPXPZ

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.Payment details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment details.exe.36b7d78.10.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment details.exe.36f2798.9.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment details.exe.36f2798.9.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: Payment details.exe, Form4.cs Large array initialization: : array initializer size 624245
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment details.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_008CE034 0_2_008CE034
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_04AF0023 0_2_04AF0023
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_04AF0040 0_2_04AF0040
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AE7B18 0_2_06AE7B18
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AEB4FF 0_2_06AEB4FF
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AEB500 0_2_06AEB500
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AEB0C8 0_2_06AEB0C8
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AEB0C3 0_2_06AEB0C3
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AE1EBF 0_2_06AE1EBF
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AE1EC0 0_2_06AE1EC0
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AEAC90 0_2_06AEAC90
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AE0BA0 0_2_06AE0BA0
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AECBF8 0_2_06AECBF8
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AECBF3 0_2_06AECBF3
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AE7B13 0_2_06AE7B13
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AEA858 0_2_06AEA858
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06BE20E8 0_2_06BE20E8
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_0160A198 3_2_0160A198
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_0160E540 3_2_0160E540
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_0160B6C5 3_2_0160B6C5
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_0160A960 3_2_0160A960
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_01604A98 3_2_01604A98
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_0160DCE8 3_2_0160DCE8
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_01603E80 3_2_01603E80
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_0160DCE8 3_2_0160DCE8
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_016041C8 3_2_016041C8
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_06DF66F8 3_2_06DF66F8
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_06DF7E90 3_2_06DF7E90
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_06DF56A0 3_2_06DF56A0
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_06DF2350 3_2_06DF2350
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_06DFB348 3_2_06DFB348
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_06DF77B0 3_2_06DF77B0
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_06DFE4C8 3_2_06DFE4C8
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_06DF5DF8 3_2_06DF5DF8
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_06DF0040 3_2_06DF0040
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_074833D0 3_2_074833D0
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_06DF0007 3_2_06DF0007
Sample file is different than original file name gathered from version info
Source: Payment details.exe, 00000000.00000002.1513799823.000000000402E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Payment details.exe
Source: Payment details.exe, 00000000.00000002.1517381828.0000000004D80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Payment details.exe
Source: Payment details.exe, 00000000.00000002.1510628607.00000000008DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Payment details.exe
Source: Payment details.exe, 00000000.00000002.1512302122.0000000002695000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename0f347a7e-8916-44ab-95d4-6c89075a4b35.exe4 vs Payment details.exe
Source: Payment details.exe, 00000000.00000002.1512302122.0000000002651000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Payment details.exe
Source: Payment details.exe, 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename0f347a7e-8916-44ab-95d4-6c89075a4b35.exe4 vs Payment details.exe
Source: Payment details.exe, 00000000.00000002.1520568404.000000000AC80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Payment details.exe
Source: Payment details.exe, 00000003.00000002.2710626788.0000000000F99000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment details.exe
Source: Payment details.exe, 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilename0f347a7e-8916-44ab-95d4-6c89075a4b35.exe4 vs Payment details.exe
Source: Payment details.exe Binary or memory string: OriginalFilenameKuVx.exeL vs Payment details.exe
Uses 32bit PE files
Source: Payment details.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 3.2.Payment details.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment details.exe.36b7d78.10.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment details.exe.36f2798.9.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment details.exe.36f2798.9.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Payment details.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, 1UT6pzc0M.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, DnQOD3M.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, 01seU.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, iUDwvr7Gz.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, XUu2qKyuF6.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, aZathEIgR.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, l50VLEll22.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, l50VLEll22.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, mmFnaqP5owL6IEg2FI.cs Security API names: _0020.SetAccessControl
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, mmFnaqP5owL6IEg2FI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, mmFnaqP5owL6IEg2FI.cs Security API names: _0020.AddAccessRule
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, UZVZoEDHpoVLjqNChJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, UZVZoEDHpoVLjqNChJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, UZVZoEDHpoVLjqNChJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, mmFnaqP5owL6IEg2FI.cs Security API names: _0020.SetAccessControl
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, mmFnaqP5owL6IEg2FI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, mmFnaqP5owL6IEg2FI.cs Security API names: _0020.AddAccessRule
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, mmFnaqP5owL6IEg2FI.cs Security API names: _0020.SetAccessControl
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, mmFnaqP5owL6IEg2FI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, mmFnaqP5owL6IEg2FI.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
Source: C:\Users\user\Desktop\Payment details.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment details.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Payment details.exe Mutant created: \Sessions\1\BaseNamedObjects\qdYnAdpdUHRUuIKSU
Source: Payment details.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Payment details.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Payment details.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment details.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment details.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payment details.exe Virustotal: Detection: 70%
Source: Payment details.exe ReversingLabs: Detection: 71%
Source: C:\Users\user\Desktop\Payment details.exe File read: C:\Users\user\Desktop\Payment details.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment details.exe "C:\Users\user\Desktop\Payment details.exe"
Source: C:\Users\user\Desktop\Payment details.exe Process created: C:\Users\user\Desktop\Payment details.exe "C:\Users\user\Desktop\Payment details.exe"
Source: C:\Users\user\Desktop\Payment details.exe Process created: C:\Users\user\Desktop\Payment details.exe "C:\Users\user\Desktop\Payment details.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Payment details.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Payment details.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Payment details.exe, Form1.cs .Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, mmFnaqP5owL6IEg2FI.cs .Net Code: vL3RCssoS7 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, mmFnaqP5owL6IEg2FI.cs .Net Code: vL3RCssoS7 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, mmFnaqP5owL6IEg2FI.cs .Net Code: vL3RCssoS7 System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AE7739 push ds; ret 0_2_06AE773A
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AEF380 push esp; ret 0_2_06AEF381
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AE8FA8 pushad ; ret 0_2_06AE8FA9
Source: C:\Users\user\Desktop\Payment details.exe Code function: 0_2_06AE6C38 push ss; ret 0_2_06AE6C3A
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_01600CB5 push edi; ret 3_2_01600CC2
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_01600C95 push edi; retf 3_2_01600C3A
Source: C:\Users\user\Desktop\Payment details.exe Code function: 3_2_074811B0 push es; ret 3_2_074811C0
Source: Payment details.exe Static PE information: section name: .text entropy: 7.878264243644894
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, x1B8hexi7GdbtBIh7Q.cs High entropy of concatenated method names: 'UrDrcrDsYH', 'YA7r5lLmgJ', 'VAKrClt89M', 'mKNr6AxPPP', 'rmFrh2tiga', 'D1LrURP2Z9', 'opsraNqyWt', 'OMYrypoIaa', 'n0Ocvhwcu3m5ksJ9f24', 'XGdbnCwZGNbuQ8Oa2IE'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, CIfLtp8bAODgXWbeaD.cs High entropy of concatenated method names: 'CxI2VNSOhc', 'XZw2anMnKT', 'Ug32MhDNNi', 'XcB2kpxnso', 'uT92dqCx4O', 'AKh2LDE8rS', 'rKB2xIaL3l', 'qRb2SrSRij', 'svY2Xtlr83', 'yip2FNL5qr'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, VkT0kaHH30wdrJH2KoK.cs High entropy of concatenated method names: 'ToString', 'rgL3uvfJss', 'yrG3RfTNgo', 'y7f39PUIUE', 'FbQ3mhOx3c', 'dAZ3KfLxh1', 'iqM3Hu2FI6', 'ak83j48wSu', 'ebX4JJtBcdTujFnvVJr', 'rk2dQNtrrZNiA8hWPal'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, i3O3Pj45OPHVIZdAWo.cs High entropy of concatenated method names: 'FJGEYus1Ot', 'ihVEAmfq4N', 'l5psJX3fti', 'owLsNInIBW', 'ddREFnmlue', 'sfeEgMiOfc', 'IRWEOL0BcI', 'LN1EeiSeAe', 'ToYEBMsVSW', 'SxJEvaorx5'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, HGySSrHliPOapMJASi7.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oXw3etXfOX', 'cO83BiIqZi', 'GAP3vbEk4m', 'WFg3GVSYAN', 'sNE3qUBPk6', 'ShY31L6Jde', 'PWH3TYajbq'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, mmFnaqP5owL6IEg2FI.cs High entropy of concatenated method names: 'YsMu9goMHo', 'n0gumj8XL9', 'wL1uKkvsy0', 'ci3uHHVp7t', 'L1Yuj9HeIv', 'LwNurZX1gs', 'uRuuoY7XUt', 'Ebbunmhvnj', 'H4Hu0lVQ2Z', 'a1kuf3PCEG'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, CJmfd4WH4nChh1KFbY.cs High entropy of concatenated method names: 'oEaEfuTKuA', 'T1BEba2EaG', 'ToString', 'TydEmxSZR6', 'RkWEKyZ4Ug', 'X8NEHmYpRQ', 'jfuEj8MRbb', 'YY6ErSPdFV', 'cVlEo7FK7Q', 'SiBEn2wQkJ'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, UIsVYqOQLU5Cs3K2UW.cs High entropy of concatenated method names: 'PCpjPhrhMw', 'p0djUxW5ms', 'PwxHDcilX0', 'DhjHdjoAJr', 'pryHLbwEqQ', 'PgRHWiwLGV', 'xKyHxCZGI7', 'hOYHSglvaE', 'I2lHpJ0oef', 'sfJHXJiSAo'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, UZVZoEDHpoVLjqNChJ.cs High entropy of concatenated method names: 'sfNKe4S0rT', 'ryKKBhIOGV', 'XLPKvsnbIL', 't1hKGuMh0o', 'tNJKq3OfI5', 'EExK11QPvK', 'mcZKTA1o3H', 'BLQKYAVyJV', 'XkkK8Fd2uO', 'ysmKALgM5n'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, UCivs3bd6ZHsjPWage.cs High entropy of concatenated method names: 'K9Gsmpe9Xx', 'wXtsKk2wGQ', 'G8msH9j0p3', 'p6gsjDgg3i', 'YefsrB5Dnr', 'bFnsotamLH', 'spnsnWmAL9', 'G38s0QrJOT', 'mXMsfvaqms', 'zqOsbL4ipe'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, Du9TFDHBwOHsEU2frQV.cs High entropy of concatenated method names: 'RjPI5h9mcW', 'XWGIQwYEEi', 'XKFIC8sYIE', 'vfpI6YbYw8', 'PGwIPpt2w6', 'zhoIhoopMx', 'i02IUt7VUo', 'E5XIVbKEta', 'SlVIa2EBAN', 'B8OIy0TgL0'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, dLsb5Uc8P80NOQC4lq.cs High entropy of concatenated method names: 'aHMINcBh2s', 'DWWIuyNDdt', 'HynIR5xywh', 'HTZImOfopx', 'rIxIKnnrJd', 'lRgIjvLA7J', 'qEaIr3wTAQ', 'nkOsTCxAv0', 'hnQsY0lnoP', 'Ehts8eMkaG'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, EZWxpHzGjAS1YR9evs.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jLgI2tuI7s', 'O9kIlPub1N', 'UDHIwR8yqj', 'SjkIEkOj44', 'ygYIsUTjMg', 'cO6II3opw6', 'TuiI3rMKU4'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, dQ34efIVneJTi0l4MZ.cs High entropy of concatenated method names: 'ISiH6LA8yq', 'UHuHhWrn1X', 'XgnHVIt45Z', 'JrdHaxEK6M', 'MhEHllJgb0', 'RiPHwQuI5a', 'bSfHEuK1dY', 'd6QHsBtan6', 'dudHIaiqwD', 'DxnH30gBK2'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, QVqwBsQtuK0eguTdxM.cs High entropy of concatenated method names: 'h7yr9bAbOy', 'Ei9rKQNHjG', 'uHGrj2h4hh', 'sFyroj997G', 'gGgrnauReM', 'hlOjqLFpyc', 'D53j14EOEE', 'GtrjTduKwu', 'li3jYjal9N', 'SNcj8NhxIl'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, MTfbaUAdhDRksDk6NZ.cs High entropy of concatenated method names: 'Dispose', 'lhgN8Ks7Zw', 'Md7Zk1atdq', 'NKqiisP00L', 'veVNAoC2HV', 'L98NzMFvdm', 'ProcessDialogKey', 'siRZJ8q2MU', 'JClZNjCKYA', 'I6LZZclVFo'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, MgFmQbZoixFd3sa9Zx.cs High entropy of concatenated method names: 'Qlxo5isRu9', 'CwboQLLqX9', 'Pu1oCHYkkt', 'mEto62dJqk', 'aKMoPHG29n', 'NKQohy3miB', 'YDfoUqg0lc', 'iEioV6GX9V', 'pWYoaZYXVi', 'bumoyiPKkB'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, je50eF3J6M7NjU5sUi.cs High entropy of concatenated method names: 'PGAsMEcZbX', 'nOKsklMDUp', 'SkusD8OPc8', 'roVsdkoVOt', 'EbpsebKF2t', 'JfJsLv1WT0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, CQg2GvSkepLbbBqnWo.cs High entropy of concatenated method names: 'GvNCP7AVe', 'MJE6Uv7kn', 'jgQhF2CNJ', 'K3JUI1U7P', 'Mfwa5C3Ks', 'CXJyPOJ1m', 'eTo4LmDQBJqj67nKi7', 'Gi17C8qycHAL4c7n4L', 'calsv40Gn', 'g5w3xWbds'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, NMrhkP9rN3bakowSji.cs High entropy of concatenated method names: 'gNZNoKHyqH', 'NUBNnmCAp6', 'wesNfQmg2X', 'nf7NbVXqBq', 'dqPNlP78pq', 'LqLNw36qI7', 'PT9ZwKK5dN3dIS0x8r', 'AcIdkHyWD71NxdbKWg', 'nkeNNYG3hC', 'XC6Nukj2va'
Source: 0.2.Payment details.exe.4235f60.8.raw.unpack, OURUepHS0rINJ6GuUfW.cs High entropy of concatenated method names: 'fKB35ugJWj', 'RUV3QFSnHD', 'pFE3CMbNe5', 'Ip8H8ttL1yfTpACHPNl', 'KEcN6gt0e0lGFqO0Rrs', 'IPODyNt5xsNiseybys5', 'oJWUY7tah4dY5PEdg7u'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, x1B8hexi7GdbtBIh7Q.cs High entropy of concatenated method names: 'UrDrcrDsYH', 'YA7r5lLmgJ', 'VAKrClt89M', 'mKNr6AxPPP', 'rmFrh2tiga', 'D1LrURP2Z9', 'opsraNqyWt', 'OMYrypoIaa', 'n0Ocvhwcu3m5ksJ9f24', 'XGdbnCwZGNbuQ8Oa2IE'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, CIfLtp8bAODgXWbeaD.cs High entropy of concatenated method names: 'CxI2VNSOhc', 'XZw2anMnKT', 'Ug32MhDNNi', 'XcB2kpxnso', 'uT92dqCx4O', 'AKh2LDE8rS', 'rKB2xIaL3l', 'qRb2SrSRij', 'svY2Xtlr83', 'yip2FNL5qr'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, VkT0kaHH30wdrJH2KoK.cs High entropy of concatenated method names: 'ToString', 'rgL3uvfJss', 'yrG3RfTNgo', 'y7f39PUIUE', 'FbQ3mhOx3c', 'dAZ3KfLxh1', 'iqM3Hu2FI6', 'ak83j48wSu', 'ebX4JJtBcdTujFnvVJr', 'rk2dQNtrrZNiA8hWPal'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, i3O3Pj45OPHVIZdAWo.cs High entropy of concatenated method names: 'FJGEYus1Ot', 'ihVEAmfq4N', 'l5psJX3fti', 'owLsNInIBW', 'ddREFnmlue', 'sfeEgMiOfc', 'IRWEOL0BcI', 'LN1EeiSeAe', 'ToYEBMsVSW', 'SxJEvaorx5'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, HGySSrHliPOapMJASi7.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oXw3etXfOX', 'cO83BiIqZi', 'GAP3vbEk4m', 'WFg3GVSYAN', 'sNE3qUBPk6', 'ShY31L6Jde', 'PWH3TYajbq'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, mmFnaqP5owL6IEg2FI.cs High entropy of concatenated method names: 'YsMu9goMHo', 'n0gumj8XL9', 'wL1uKkvsy0', 'ci3uHHVp7t', 'L1Yuj9HeIv', 'LwNurZX1gs', 'uRuuoY7XUt', 'Ebbunmhvnj', 'H4Hu0lVQ2Z', 'a1kuf3PCEG'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, CJmfd4WH4nChh1KFbY.cs High entropy of concatenated method names: 'oEaEfuTKuA', 'T1BEba2EaG', 'ToString', 'TydEmxSZR6', 'RkWEKyZ4Ug', 'X8NEHmYpRQ', 'jfuEj8MRbb', 'YY6ErSPdFV', 'cVlEo7FK7Q', 'SiBEn2wQkJ'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, UIsVYqOQLU5Cs3K2UW.cs High entropy of concatenated method names: 'PCpjPhrhMw', 'p0djUxW5ms', 'PwxHDcilX0', 'DhjHdjoAJr', 'pryHLbwEqQ', 'PgRHWiwLGV', 'xKyHxCZGI7', 'hOYHSglvaE', 'I2lHpJ0oef', 'sfJHXJiSAo'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, UZVZoEDHpoVLjqNChJ.cs High entropy of concatenated method names: 'sfNKe4S0rT', 'ryKKBhIOGV', 'XLPKvsnbIL', 't1hKGuMh0o', 'tNJKq3OfI5', 'EExK11QPvK', 'mcZKTA1o3H', 'BLQKYAVyJV', 'XkkK8Fd2uO', 'ysmKALgM5n'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, UCivs3bd6ZHsjPWage.cs High entropy of concatenated method names: 'K9Gsmpe9Xx', 'wXtsKk2wGQ', 'G8msH9j0p3', 'p6gsjDgg3i', 'YefsrB5Dnr', 'bFnsotamLH', 'spnsnWmAL9', 'G38s0QrJOT', 'mXMsfvaqms', 'zqOsbL4ipe'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, Du9TFDHBwOHsEU2frQV.cs High entropy of concatenated method names: 'RjPI5h9mcW', 'XWGIQwYEEi', 'XKFIC8sYIE', 'vfpI6YbYw8', 'PGwIPpt2w6', 'zhoIhoopMx', 'i02IUt7VUo', 'E5XIVbKEta', 'SlVIa2EBAN', 'B8OIy0TgL0'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, dLsb5Uc8P80NOQC4lq.cs High entropy of concatenated method names: 'aHMINcBh2s', 'DWWIuyNDdt', 'HynIR5xywh', 'HTZImOfopx', 'rIxIKnnrJd', 'lRgIjvLA7J', 'qEaIr3wTAQ', 'nkOsTCxAv0', 'hnQsY0lnoP', 'Ehts8eMkaG'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, EZWxpHzGjAS1YR9evs.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jLgI2tuI7s', 'O9kIlPub1N', 'UDHIwR8yqj', 'SjkIEkOj44', 'ygYIsUTjMg', 'cO6II3opw6', 'TuiI3rMKU4'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, dQ34efIVneJTi0l4MZ.cs High entropy of concatenated method names: 'ISiH6LA8yq', 'UHuHhWrn1X', 'XgnHVIt45Z', 'JrdHaxEK6M', 'MhEHllJgb0', 'RiPHwQuI5a', 'bSfHEuK1dY', 'd6QHsBtan6', 'dudHIaiqwD', 'DxnH30gBK2'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, QVqwBsQtuK0eguTdxM.cs High entropy of concatenated method names: 'h7yr9bAbOy', 'Ei9rKQNHjG', 'uHGrj2h4hh', 'sFyroj997G', 'gGgrnauReM', 'hlOjqLFpyc', 'D53j14EOEE', 'GtrjTduKwu', 'li3jYjal9N', 'SNcj8NhxIl'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, MTfbaUAdhDRksDk6NZ.cs High entropy of concatenated method names: 'Dispose', 'lhgN8Ks7Zw', 'Md7Zk1atdq', 'NKqiisP00L', 'veVNAoC2HV', 'L98NzMFvdm', 'ProcessDialogKey', 'siRZJ8q2MU', 'JClZNjCKYA', 'I6LZZclVFo'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, MgFmQbZoixFd3sa9Zx.cs High entropy of concatenated method names: 'Qlxo5isRu9', 'CwboQLLqX9', 'Pu1oCHYkkt', 'mEto62dJqk', 'aKMoPHG29n', 'NKQohy3miB', 'YDfoUqg0lc', 'iEioV6GX9V', 'pWYoaZYXVi', 'bumoyiPKkB'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, je50eF3J6M7NjU5sUi.cs High entropy of concatenated method names: 'PGAsMEcZbX', 'nOKsklMDUp', 'SkusD8OPc8', 'roVsdkoVOt', 'EbpsebKF2t', 'JfJsLv1WT0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, CQg2GvSkepLbbBqnWo.cs High entropy of concatenated method names: 'GvNCP7AVe', 'MJE6Uv7kn', 'jgQhF2CNJ', 'K3JUI1U7P', 'Mfwa5C3Ks', 'CXJyPOJ1m', 'eTo4LmDQBJqj67nKi7', 'Gi17C8qycHAL4c7n4L', 'calsv40Gn', 'g5w3xWbds'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, NMrhkP9rN3bakowSji.cs High entropy of concatenated method names: 'gNZNoKHyqH', 'NUBNnmCAp6', 'wesNfQmg2X', 'nf7NbVXqBq', 'dqPNlP78pq', 'LqLNw36qI7', 'PT9ZwKK5dN3dIS0x8r', 'AcIdkHyWD71NxdbKWg', 'nkeNNYG3hC', 'XC6Nukj2va'
Source: 0.2.Payment details.exe.ac80000.15.raw.unpack, OURUepHS0rINJ6GuUfW.cs High entropy of concatenated method names: 'fKB35ugJWj', 'RUV3QFSnHD', 'pFE3CMbNe5', 'Ip8H8ttL1yfTpACHPNl', 'KEcN6gt0e0lGFqO0Rrs', 'IPODyNt5xsNiseybys5', 'oJWUY7tah4dY5PEdg7u'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, x1B8hexi7GdbtBIh7Q.cs High entropy of concatenated method names: 'UrDrcrDsYH', 'YA7r5lLmgJ', 'VAKrClt89M', 'mKNr6AxPPP', 'rmFrh2tiga', 'D1LrURP2Z9', 'opsraNqyWt', 'OMYrypoIaa', 'n0Ocvhwcu3m5ksJ9f24', 'XGdbnCwZGNbuQ8Oa2IE'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, CIfLtp8bAODgXWbeaD.cs High entropy of concatenated method names: 'CxI2VNSOhc', 'XZw2anMnKT', 'Ug32MhDNNi', 'XcB2kpxnso', 'uT92dqCx4O', 'AKh2LDE8rS', 'rKB2xIaL3l', 'qRb2SrSRij', 'svY2Xtlr83', 'yip2FNL5qr'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, VkT0kaHH30wdrJH2KoK.cs High entropy of concatenated method names: 'ToString', 'rgL3uvfJss', 'yrG3RfTNgo', 'y7f39PUIUE', 'FbQ3mhOx3c', 'dAZ3KfLxh1', 'iqM3Hu2FI6', 'ak83j48wSu', 'ebX4JJtBcdTujFnvVJr', 'rk2dQNtrrZNiA8hWPal'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, i3O3Pj45OPHVIZdAWo.cs High entropy of concatenated method names: 'FJGEYus1Ot', 'ihVEAmfq4N', 'l5psJX3fti', 'owLsNInIBW', 'ddREFnmlue', 'sfeEgMiOfc', 'IRWEOL0BcI', 'LN1EeiSeAe', 'ToYEBMsVSW', 'SxJEvaorx5'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, HGySSrHliPOapMJASi7.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oXw3etXfOX', 'cO83BiIqZi', 'GAP3vbEk4m', 'WFg3GVSYAN', 'sNE3qUBPk6', 'ShY31L6Jde', 'PWH3TYajbq'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, mmFnaqP5owL6IEg2FI.cs High entropy of concatenated method names: 'YsMu9goMHo', 'n0gumj8XL9', 'wL1uKkvsy0', 'ci3uHHVp7t', 'L1Yuj9HeIv', 'LwNurZX1gs', 'uRuuoY7XUt', 'Ebbunmhvnj', 'H4Hu0lVQ2Z', 'a1kuf3PCEG'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, CJmfd4WH4nChh1KFbY.cs High entropy of concatenated method names: 'oEaEfuTKuA', 'T1BEba2EaG', 'ToString', 'TydEmxSZR6', 'RkWEKyZ4Ug', 'X8NEHmYpRQ', 'jfuEj8MRbb', 'YY6ErSPdFV', 'cVlEo7FK7Q', 'SiBEn2wQkJ'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, UIsVYqOQLU5Cs3K2UW.cs High entropy of concatenated method names: 'PCpjPhrhMw', 'p0djUxW5ms', 'PwxHDcilX0', 'DhjHdjoAJr', 'pryHLbwEqQ', 'PgRHWiwLGV', 'xKyHxCZGI7', 'hOYHSglvaE', 'I2lHpJ0oef', 'sfJHXJiSAo'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, UZVZoEDHpoVLjqNChJ.cs High entropy of concatenated method names: 'sfNKe4S0rT', 'ryKKBhIOGV', 'XLPKvsnbIL', 't1hKGuMh0o', 'tNJKq3OfI5', 'EExK11QPvK', 'mcZKTA1o3H', 'BLQKYAVyJV', 'XkkK8Fd2uO', 'ysmKALgM5n'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, UCivs3bd6ZHsjPWage.cs High entropy of concatenated method names: 'K9Gsmpe9Xx', 'wXtsKk2wGQ', 'G8msH9j0p3', 'p6gsjDgg3i', 'YefsrB5Dnr', 'bFnsotamLH', 'spnsnWmAL9', 'G38s0QrJOT', 'mXMsfvaqms', 'zqOsbL4ipe'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, Du9TFDHBwOHsEU2frQV.cs High entropy of concatenated method names: 'RjPI5h9mcW', 'XWGIQwYEEi', 'XKFIC8sYIE', 'vfpI6YbYw8', 'PGwIPpt2w6', 'zhoIhoopMx', 'i02IUt7VUo', 'E5XIVbKEta', 'SlVIa2EBAN', 'B8OIy0TgL0'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, dLsb5Uc8P80NOQC4lq.cs High entropy of concatenated method names: 'aHMINcBh2s', 'DWWIuyNDdt', 'HynIR5xywh', 'HTZImOfopx', 'rIxIKnnrJd', 'lRgIjvLA7J', 'qEaIr3wTAQ', 'nkOsTCxAv0', 'hnQsY0lnoP', 'Ehts8eMkaG'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, EZWxpHzGjAS1YR9evs.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jLgI2tuI7s', 'O9kIlPub1N', 'UDHIwR8yqj', 'SjkIEkOj44', 'ygYIsUTjMg', 'cO6II3opw6', 'TuiI3rMKU4'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, dQ34efIVneJTi0l4MZ.cs High entropy of concatenated method names: 'ISiH6LA8yq', 'UHuHhWrn1X', 'XgnHVIt45Z', 'JrdHaxEK6M', 'MhEHllJgb0', 'RiPHwQuI5a', 'bSfHEuK1dY', 'd6QHsBtan6', 'dudHIaiqwD', 'DxnH30gBK2'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, QVqwBsQtuK0eguTdxM.cs High entropy of concatenated method names: 'h7yr9bAbOy', 'Ei9rKQNHjG', 'uHGrj2h4hh', 'sFyroj997G', 'gGgrnauReM', 'hlOjqLFpyc', 'D53j14EOEE', 'GtrjTduKwu', 'li3jYjal9N', 'SNcj8NhxIl'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, MTfbaUAdhDRksDk6NZ.cs High entropy of concatenated method names: 'Dispose', 'lhgN8Ks7Zw', 'Md7Zk1atdq', 'NKqiisP00L', 'veVNAoC2HV', 'L98NzMFvdm', 'ProcessDialogKey', 'siRZJ8q2MU', 'JClZNjCKYA', 'I6LZZclVFo'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, MgFmQbZoixFd3sa9Zx.cs High entropy of concatenated method names: 'Qlxo5isRu9', 'CwboQLLqX9', 'Pu1oCHYkkt', 'mEto62dJqk', 'aKMoPHG29n', 'NKQohy3miB', 'YDfoUqg0lc', 'iEioV6GX9V', 'pWYoaZYXVi', 'bumoyiPKkB'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, je50eF3J6M7NjU5sUi.cs High entropy of concatenated method names: 'PGAsMEcZbX', 'nOKsklMDUp', 'SkusD8OPc8', 'roVsdkoVOt', 'EbpsebKF2t', 'JfJsLv1WT0', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, CQg2GvSkepLbbBqnWo.cs High entropy of concatenated method names: 'GvNCP7AVe', 'MJE6Uv7kn', 'jgQhF2CNJ', 'K3JUI1U7P', 'Mfwa5C3Ks', 'CXJyPOJ1m', 'eTo4LmDQBJqj67nKi7', 'Gi17C8qycHAL4c7n4L', 'calsv40Gn', 'g5w3xWbds'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, NMrhkP9rN3bakowSji.cs High entropy of concatenated method names: 'gNZNoKHyqH', 'NUBNnmCAp6', 'wesNfQmg2X', 'nf7NbVXqBq', 'dqPNlP78pq', 'LqLNw36qI7', 'PT9ZwKK5dN3dIS0x8r', 'AcIdkHyWD71NxdbKWg', 'nkeNNYG3hC', 'XC6Nukj2va'
Source: 0.2.Payment details.exe.42b2580.7.raw.unpack, OURUepHS0rINJ6GuUfW.cs High entropy of concatenated method names: 'fKB35ugJWj', 'RUV3QFSnHD', 'pFE3CMbNe5', 'Ip8H8ttL1yfTpACHPNl', 'KEcN6gt0e0lGFqO0Rrs', 'IPODyNt5xsNiseybys5', 'oJWUY7tah4dY5PEdg7u'
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Payment details.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment details.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: 8C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: 2650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: 24B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: 86E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: 68D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: 96E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: A6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: AD00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: 86E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: 1600000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: 3040000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: 2E80000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Payment details.exe Window / User API: threadDelayed 4154 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Window / User API: threadDelayed 1322 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Payment details.exe TID: 7124 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -99891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 2772 Thread sleep count: 4154 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 2772 Thread sleep count: 1322 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -99654s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -99531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -99421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -99302s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -99172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -99047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -98937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -98828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -98719s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -98484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -98375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -98265s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -98156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -98047s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -97936s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -97828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -97688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -97563s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -97438s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -97313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -97203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -97094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -96969s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe TID: 3272 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment details.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment details.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment details.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 99891 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 99654 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 99531 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 99421 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 99302 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 99172 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 99047 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 98937 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 98828 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 98719 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 98594 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 98484 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 98375 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 98265 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 98156 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 98047 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 97936 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 97828 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 97688 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 97563 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 97438 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 97313 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 97203 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 97094 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 96969 Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Payment details.exe, 00000003.00000002.2710777307.000000000135E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Payment details.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Payment details.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Payment details.exe Memory written: C:\Users\user\Desktop\Payment details.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment details.exe Process created: C:\Users\user\Desktop\Payment details.exe "C:\Users\user\Desktop\Payment details.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Users\user\Desktop\Payment details.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Users\user\Desktop\Payment details.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 3.2.Payment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36b7d78.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36f2798.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36f2798.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2712719850.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2712719850.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment details.exe PID: 4200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment details.exe PID: 6372, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Payment details.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Payment details.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Payment details.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Payment details.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Payment details.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 3.2.Payment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36b7d78.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36f2798.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36f2798.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2712719850.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment details.exe PID: 4200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment details.exe PID: 6372, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 3.2.Payment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36b7d78.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36f2798.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36f2798.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment details.exe.36b7d78.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2712719850.00000000030C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2712719850.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2710425079.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2712719850.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1513799823.00000000036B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment details.exe PID: 4200, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment details.exe PID: 6372, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
50.87.145.190
 mail.teddyjnr.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
api.ipify.org 104.26.13.205 true
mail.teddyjnr.com 50.87.145.190 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high