Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Receipt 0002994040595069600079000079700000.exe

Overview

General Information

Sample name:Payment Receipt 0002994040595069600079000079700000.exe
Analysis ID:1608136
MD5:4ab27fd8abf2cb87f1e79900e01f69f6
SHA1:aeaab1bf04a8161f12cf9ef6b8a53b52213dee82
SHA256:5b72ed928f8a9e98082f9d22d1966a0bfea8222c51041311a6ab5b1339c8f95c
Tags:exeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample has a suspicious name (potential lure to open the executable)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.4149136349.00000000032FC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.4149136349.00000000032D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.4149136349.00000000032D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.4147852130.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000001.00000002.4147852130.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33afd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33b6f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33bf9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33c8b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33cf5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33d67:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33dfd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33e8d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x30e3d:$s2: GetPrivateProfileString
                • 0x30540:$s3: get_OSFullName
                • 0x31c11:$s5: remove_Key
                • 0x31dd9:$s5: remove_Key
                • 0x32d01:$s6: FtpWebRequest
                • 0x33adf:$s7: logins
                • 0x34051:$s7: logins
                • 0x36d62:$s7: logins
                • 0x36e14:$s7: logins
                • 0x38766:$s7: logins
                • 0x379ae:$s9: 1.85 (Hash, version 2, native byte-order)
                0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: Payment Receipt 0002994040595069600079000079700000.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://concaribe.comAvira URL Cloud: Label: malware
                  Source: http://ftp.concaribe.comAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}
                  Multi AV Scanner detection for submitted file
                  Source: Payment Receipt 0002994040595069600079000079700000.exeVirustotal: Detection: 45%Perma Link
                  Source: Payment Receipt 0002994040595069600079000079700000.exeReversingLabs: Detection: 39%
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: Payment Receipt 0002994040595069600079000079700000.exeJoe Sandbox ML: detected
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672848237.00000000028C0000.00000004.08000000.00040000.00000000.sdmp, Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672977456.00000000028E1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Nova\source\repos\watchman\watchman\obj\Debug\watchman.pdb source: Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb_JyJ kJ_CorDllMainmscoree.dll source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672848237.00000000028C0000.00000004.08000000.00040000.00000000.sdmp, Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672977456.00000000028E1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewIP Address: 192.185.13.234 192.185.13.234
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                  Source: global trafficDNS traffic detected: DNS query: ftp.concaribe.com
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4149136349.00000000032FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://concaribe.com
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4149136349.00000000032FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.concaribe.com
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4149136349.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1673052878.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1673052878.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp, Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4147852130.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1673052878.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1673052878.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp, Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4147852130.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4149136349.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4149136349.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4149136349.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49731 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, cPKWk.cs.Net Code: ojpIFBdoe

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: Payment Receipt 0002994040595069600079000079700000.exe
                  Sample has a suspicious name (potential lure to open the executable)
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic file information: Suspicious name
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 0_2_00F747E80_2_00F747E8
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_0173A2281_2_0173A228
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_0173E7701_2_0173E770
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_01734A581_2_01734A58
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_0173AAB01_2_0173AAB0
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_01733E401_2_01733E40
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_017341881_2_01734188
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D3A8B41_2_06D3A8B4
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D3A5981_2_06D3A598
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D3BDF01_2_06D3BDF0
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D3DBF01_2_06D3DBF0
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D566C01_2_06D566C0
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D556A01_2_06D556A0
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D5C2401_2_06D5C240
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D523801_2_06D52380
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D5B3001_2_06D5B300
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D57E401_2_06D57E40
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D577601_2_06D57760
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D5E4681_2_06D5E468
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D500401_2_06D50040
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D55DC81_2_06D55DC8
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D500061_2_06D50006
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672848237.00000000028CC000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePiver.dllH vs Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672357283.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1673052878.00000000038E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672977456.0000000002932000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePiver.dllH vs Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672977456.0000000002932000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000000.1669713984.0000000000572000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewatchman.exe2 vs Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4147950407.00000000010F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4147852130.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb6643012-12fd-45a5-9ab2-ac7e7ee5488b.exe4 vs Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Payment Receipt 0002994040595069600079000079700000.exeBinary or memory string: OriginalFilenamewatchman.exe2 vs Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, Meantime.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Receipt 0002994040595069600079000079700000.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeMutant created: NULL
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Payment Receipt 0002994040595069600079000079700000.exeVirustotal: Detection: 45%
                  Source: Payment Receipt 0002994040595069600079000079700000.exeReversingLabs: Detection: 39%
                  Source: unknownProcess created: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe "C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe"
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess created: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe "C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe"
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess created: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe "C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672848237.00000000028C0000.00000004.08000000.00040000.00000000.sdmp, Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672977456.00000000028E1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\Nova\source\repos\watchman\watchman\obj\Debug\watchman.pdb source: Payment Receipt 0002994040595069600079000079700000.exe
                  Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Runpe\WindowsFormsApp1\WindowsFormsApp1\obj\Debug\Piver.pdb_JyJ kJ_CorDllMainmscoree.dll source: Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672848237.00000000028C0000.00000004.08000000.00040000.00000000.sdmp, Payment Receipt 0002994040595069600079000079700000.exe, 00000000.00000002.1672977456.00000000028E1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic PE information: 0xAA9B0FA3 [Mon Sep 13 08:13:23 2060 UTC]
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_01730C55 push edi; retf 1_2_01730C7A
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeCode function: 1_2_06D33FCF push 2406E3DAh; retf 1_2_06D33FD5
                  Source: Payment Receipt 0002994040595069600079000079700000.exeStatic PE information: section name: .text entropy: 7.811913370148884
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeMemory allocated: 28E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeMemory allocated: 48E0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeMemory allocated: 16F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeMemory allocated: 3280000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599828Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599717Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599609Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599498Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599390Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599281Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599171Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599062Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598953Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598843Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598734Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598625Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598515Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598406Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598296Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598187Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598078Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597968Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597859Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597750Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597640Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597531Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597402Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597296Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597184Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597037Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596797Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596578Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596468Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596250Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596140Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595922Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595812Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595693Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595343Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595015Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 594660Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 594531Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 594421Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeWindow / User API: threadDelayed 1543Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeWindow / User API: threadDelayed 8312Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 7072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep count: 31 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 5780Thread sleep count: 1543 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -599828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 5780Thread sleep count: 8312 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -599717s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -599609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -599498s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -599390s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -599281s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -599171s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -599062s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -598953s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -598843s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -598734s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -598625s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -598515s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -598406s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -598296s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -598187s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -598078s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -597968s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -597859s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -597750s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -597640s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -597531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -597402s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -597296s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -597184s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -597037s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -596906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -596797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -596687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -596578s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -596468s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -596359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -596250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -596140s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -596031s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -595922s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -595812s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -595693s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -595562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -595453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -595343s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -595234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -595125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -595015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -594906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -594797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -594660s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -594531s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe TID: 1740Thread sleep time: -594421s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599828Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599717Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599609Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599498Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599390Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599281Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599171Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 599062Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598953Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598843Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598734Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598625Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598515Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598406Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598296Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598187Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 598078Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597968Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597859Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597750Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597640Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597531Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597402Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597296Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597184Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 597037Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596906Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596797Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596578Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596468Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596250Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596140Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 596031Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595922Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595812Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595693Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595453Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595343Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 595015Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 594906Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 594660Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 594531Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeThread delayed: delay time: 594421Jump to behavior
                  Source: Payment Receipt 0002994040595069600079000079700000.exe, 00000001.00000002.4148117723.00000000014CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.28c0000.0.raw.unpack, Nive.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.28c0000.0.raw.unpack, Nive.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                  Source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, Ljq6xD21ACX.csReference to suspicious API methods: OZkujShDCVG.OpenProcess(aPNZ30.DuplicateHandle, bInheritHandle: true, (uint)snUp2.ProcessID)
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeMemory written: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeProcess created: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe "C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeQueries volume information: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeQueries volume information: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4149136349.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4149136349.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4147852130.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1673052878.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1673052878.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Receipt 000299404059506960007900007 PID: 7000, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Payment Receipt 0002994040595069600079000079700000.exe PID: 7156, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\Payment Receipt 0002994040595069600079000079700000.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4149136349.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4147852130.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1673052878.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1673052878.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Receipt 000299404059506960007900007 PID: 7000, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Payment Receipt 0002994040595069600079000079700000.exe PID: 7156, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 1.2.Payment Receipt 0002994040595069600079000079700000.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Receipt 0002994040595069600079000079700000.exe.3a0c638.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000001.00000002.4149136349.00000000032FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4149136349.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.4147852130.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1673052878.0000000003A4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1673052878.00000000038E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Receipt 000299404059506960007900007 PID: 7000, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Payment Receipt 0002994040595069600079000079700000.exe PID: 7156, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Software Packing                  		NTDS111
                  Security Software Discovery                  		Distributed Component Object Model1
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets1
                  Process Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials141
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.