Loading ...

Play interactive tourEdit tour

Analysis Report 1PAYMENT COPY.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:163024
Start date:14.08.2019
Start time:05:32:15
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 14s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:1PAYMENT COPY.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@4/3@2/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 3.7% (good quality ratio 2.2%)
  • Quality average: 36.1%
  • Quality standard deviation: 37.3%
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 83
  • Number of non-executed functions: 12
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 67.26.111.254, 8.247.211.254, 8.253.208.121, 8.247.210.254, 67.27.154.254, 67.27.155.126, 8.247.209.126, 67.27.153.126, 67.24.27.254, 8.248.3.254, 93.184.221.240
  • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, wu.ec.azureedge.net, s-0001.s-msedge.net, ctldl.windowsupdate.com, e-0009.e-msedge.net, wu.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, config.edge.skype.com
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Agent Tesla
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Management Instrumentation111Scheduled Task1Process Injection1Software Packing2Credential Dumping2Security Software Discovery121Remote File Copy1Data from Local System2Data Encrypted1Remote File Copy1
Replication Through Removable MediaScheduled Task1Port MonitorsScheduled Task1Disabling Security Tools1Credentials in Files1File and Directory Discovery1Remote ServicesClipboard Data1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery112Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesQuery Registry1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceApplication Window Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Network Configuration Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\RuCIScdZwHJ.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 1PAYMENT COPY.exeJoe Sandbox ML: detected

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 3.224.145.145 3.224.145.145
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16855147623.0000000008780000.00000004.00000001.sdmpString found in binary or memory: GMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: kFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: checkip.amazonaws.com
Urls found in memory or binary dataShow sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837671217.0000000002BF2000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com/
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837671217.0000000002BF2000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com4
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837671217.0000000002BF2000.00000004.00000001.sdmpString found in binary or memory: http://checkip.us-east-1.prod.check-ip.aws.a2z.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1PAYMENT COPY.exe, 00000000.00000002.16855147623.0000000008780000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836134958.0000000000D2D000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico~
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: 1PAYMENT COPY.exe, 00000000.00000002.16855147623.0000000008780000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEMp
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836134958.0000000000D2D000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMx
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

System Summary:

barindex
Yara detected Agent Tesla TrojanShow sources
Source: Yara matchFile source: 00000000.00000002.16837188170.0000000002A93000.00000004.00000001.sdmp, type: MEMORY
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 1PAYMENT COPY.exe
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_010AE6100_2_010AE610
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_010AC1C40_2_010AC1C4
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_010AE6030_2_010AE603
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_071023A80_2_071023A8
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073977000_2_07397700
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398E380_2_07398E38
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073986A00_2_073986A0
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07397D000_2_07397D00
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07393C780_2_07393C78
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073941280_2_07394128
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073929E80_2_073929E8
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073970080_2_07397008
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073980700_2_07398070
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073900400_2_07390040
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739A7310_2_0739A731
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07399FBB0_2_07399FBB
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07396FF90_2_07396FF9
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398E290_2_07398E29
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073946500_2_07394650
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073946400_2_07394640
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739A6430_2_0739A643
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073986900_2_07398690
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073976F00_2_073976F0
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07399EEC0_2_07399EEC
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AD270_2_0739AD27
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AD6F0_2_0739AD6F
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07392D600_2_07392D60
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07392D510_2_07392D51
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07399D4C0_2_07399D4C
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AC3C0_2_0739AC3C
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07393C680_2_07393C68
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739BC570_2_0739BC57
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07397CF10_2_07397CF1
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739ACC90_2_0739ACC9
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AB670_2_0739AB67
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739ABAF0_2_0739ABAF
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073933A00_2_073933A0
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AA920_2_0739AA92
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AADA0_2_0739AADA
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073969080_2_07396908
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398E380_2_07398E38
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073929D80_2_073929D8
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739001F0_2_0739001F
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073958780_2_07395878
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073980600_2_07398060
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073958670_2_07395867
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073968F80_2_073968F8
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: String function: 07397498 appears 47 times
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859332279.000000000B8F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16838636700.00000000039E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16838636700.00000000039E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNOPNXYASPEGHOYGAUGCSQWNLEZQDTKDDDFXHVPBK_20190715022059277.exe4 vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845877999.0000000006F60000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCyaX-Sharp.exe6 vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16858348468.000000000B650000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859300456.000000000B8E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000000.16415616257.000000000079C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMinesweeper.exe8 vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16846556699.0000000007420000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16846556699.0000000007420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exeBinary or memory string: OriginalFilenameMinesweeper.exe8 vs 1PAYMENT COPY.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Users\user\Desktop\1PAYMENT COPY.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64log.dllJump to behavior
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: 1PAYMENT COPY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: RuCIScdZwHJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@2/1
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\RuCIScdZwHJ.exeJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9651.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 1PAYMENT COPY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\1PAYMENT COPY.exe 'C:\Users\user\Desktop\1PAYMENT COPY.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RuCIScdZwHJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp9651.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RuCIScdZwHJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp9651.tmp'Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: 1PAYMENT COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 1PAYMENT COPY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: 1PAYMENT COPY.exe, 00000000.00000002.16838636700.00000000039E0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0071106F push edi; retf 0_2_00711126
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_007110BE push edi; retf 0_2_00711126
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_00712FBF push eax; ret 0_2_00712FC1
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07396D88 push edi; retf 0_2_07396D89
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.90620961185
Source: initial sampleStatic PE information: section name: .text entropy: 7.90620961185

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\RuCIScdZwHJ.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RuCIScdZwHJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp9651.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWindow / User API: threadDelayed 1298Jump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWindow / User API: threadDelayed 17722Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exe TID: 3512Thread sleep time: -53819s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exe TID: 2128Thread sleep time: -47961534591644804s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exe TID: 3512Thread sleep time: -30000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16855147623.0000000008780000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859332279.000000000B8F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: vmware
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859332279.000000000B8F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859332279.000000000B8F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859332279.000000000B8F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398E38 KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,KiUserExceptionDispatcher,0_2_07398E38
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836792163.0000000001490000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836792163.0000000001490000.00000002.00000001.sdmpBinary or memory string: Progman
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836792163.0000000001490000.00000002.00000001.sdmpBinary or memory string: Program Manager6
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836792163.0000000001490000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Users\user\Desktop\1PAYMENT COPY.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

Behavior Graph

Simulations

Behavior and APIs

TimeTypeDescription
05:33:10API Interceptor4x Sleep call for process: 1PAYMENT COPY.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
1PAYMENT COPY.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\RuCIScdZwHJ.exe100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%Google Safe Browsingsafe
http://www.tiro.com0%virustotalBrowse
http://www.tiro.com0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%virustotalBrowse
http://www.goodfont.co.kr0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%Google Safe Browsingsafe
http://www.carterandcone.coml0%Avira URL Cloudsafe
http://www.carterandcone.coml0%Google Safe Browsingsafe
http://www.sajatypeworks.com0%virustotalBrowse
http://www.sajatypeworks.com0%Avira URL Cloudsafe
http://www.sajatypeworks.com0%Google Safe Browsingsafe
http://checkip.amazonaws.com40%Avira URL Cloudsafe
http://www.typography.netD0%Avira URL Cloudsafe
http://www.typography.netD0%Google Safe Browsingsafe
http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/cThe0%Google Safe Browsingsafe
http://fontfabrik.com0%virustotalBrowse
http://fontfabrik.com0%Avira URL Cloudsafe
http://fontfabrik.com0%Google Safe Browsingsafe
http://www.founder.com.cn/cn0%virustotalBrowse
http://www.founder.com.cn/cn0%Avira URL Cloudsafe
http://www.founder.com.cn/cn0%Google Safe Browsingsafe
http://www.jiyu-kobo.co.jp/0%virustotalBrowse
http://www.jiyu-kobo.co.jp/0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%Google Safe Browsingsafe
http://www.sandoll.co.kr0%virustotalBrowse
http://www.sandoll.co.kr0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%Google Safe Browsingsafe
http://www.zhongyicts.com.cn1%virustotalBrowse
http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn0%Google Safe Browsingsafe
http://www.sakkal.com0%virustotalBrowse
http://www.sakkal.com0%Avira URL Cloudsafe
http://www.sakkal.com0%Google Safe Browsingsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.16837188170.0000000002A93000.00000004.00000001.sdmpJoeSecurity_Agenttesla_Smtp_VariantYara detected Agent Tesla TrojanJoe Security

    Unpacked PEs

    No yara matches

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    3.224.145.14512Vsl stowage&particulars.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    30REQUEST FOR SUPPLY .exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    22PI 38848484#.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    21MX01170553.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    37Security Deposit_PDF.jsGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    55invoice_output7D89FD0.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    50payment details.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    49Swift-Payment_MT103.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    66PO_63526272.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    3shipping document.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    4R3100121910.pdf.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    35Revised Invoice.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    38Orderprocessing.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    27SOA.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    27Purchase_Order-MOQ7855.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    25RFQ 6000093355.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    1Pro quotation ref 900299384.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    1PI # WO # 2019000, 321-122.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    18RFQ NEW ORDER #2019-003746625465300017.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    9LDnEp7MUf.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    checkip.us-east-1.prod.check-ip.aws.a2z.comPayroll.xlsGet hashmaliciousBrowse
    • 52.202.139.131
    18Scan_pda_007765_pdf.exeGet hashmaliciousBrowse
    • 52.200.125.74
    62Confirmation_2022019.pdf.exeGet hashmaliciousBrowse
    • 34.233.102.38
    NEW ORDER.exeGet hashmaliciousBrowse
    • 34.196.82.108
    24MO85474.exeGet hashmaliciousBrowse
    • 34.233.102.38
    5PO#20190314-9938-33033-83(009).exeGet hashmaliciousBrowse
    • 52.200.125.74
    937389-1993-2087.vbsGet hashmaliciousBrowse
    • 34.233.102.38
    285100727000782928_pdf.exeGet hashmaliciousBrowse
    • 18.233.42.138
    19RFQ-2010319.exeGet hashmaliciousBrowse
    • 52.202.139.131
    41DHL Original Invoice#U22c5pdf.exeGet hashmaliciousBrowse
    • 34.196.82.108
    MT COPY USD.exeGet hashmaliciousBrowse
    • 34.196.82.108
    63GH524869.exeGet hashmaliciousBrowse
    • 34.233.102.38
    57RFQ(ORDERLIST)doc..exeGet hashmaliciousBrowse
    • 52.200.125.74
    Order Kernel_2019_quotation rqt.docGet hashmaliciousBrowse
    • 34.196.82.108
    35Purchase Order_signed.exeGet hashmaliciousBrowse
    • 34.196.82.108
    Lolly@server_Protected.jp.exeGet hashmaliciousBrowse
    • 34.196.82.108
    63Invoice205100012379.exeGet hashmaliciousBrowse
    • 52.202.139.131
    25Document.exeGet hashmaliciousBrowse
    • 34.196.82.108
    27Colour and PP Sample.exeGet hashmaliciousBrowse
    • 52.6.79.229
    17COLOUR AND PP SAMPLE..exeGet hashmaliciousBrowse
    • 52.6.79.229

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    unknownrequest.docGet hashmaliciousBrowse
    • 192.168.0.44
    FERK444259.docGet hashmaliciousBrowse
    • 192.168.0.44
    b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
    • 192.168.0.40
    Setup.exeGet hashmaliciousBrowse
    • 192.168.0.40
    base64.pdfGet hashmaliciousBrowse
    • 192.168.0.40
    file.pdfGet hashmaliciousBrowse
    • 192.168.0.40
    Spread sheet 2.pdfGet hashmaliciousBrowse
    • 192.168.0.40
    request_08.30.docGet hashmaliciousBrowse
    • 192.168.0.44
    P_2038402.xlsxGet hashmaliciousBrowse
    • 192.168.0.44
    48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
    • 192.168.0.22
    seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
    • 192.168.0.40
    Adm_Boleto.via2.comGet hashmaliciousBrowse
    • 192.168.0.40
    QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
    • 192.168.0.40
    pptxb.pdfGet hashmaliciousBrowse
    • 192.168.0.40

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.