Loading ...

Play interactive tourEdit tour

Analysis Report 1PAYMENT COPY.exe

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:163024
Start date:14.08.2019
Start time:05:32:15
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 14s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:1PAYMENT COPY.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@4/3@2/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 3.7% (good quality ratio 2.2%)
  • Quality average: 36.1%
  • Quality standard deviation: 37.3%
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 67.26.111.254, 8.247.211.254, 8.253.208.121, 8.247.210.254, 67.27.154.254, 67.27.155.126, 8.247.209.126, 67.27.153.126, 67.24.27.254, 8.248.3.254, 93.184.221.240
  • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, wu.ec.azureedge.net, s-0001.s-msedge.net, ctldl.windowsupdate.com, e-0009.e-msedge.net, wu.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, config.edge.skype.com
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Agent Tesla
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Management Instrumentation111Scheduled Task1Process Injection1Software Packing2Credential Dumping2Security Software Discovery121Remote File Copy1Data from Local System2Data Encrypted1Remote File Copy1
Replication Through Removable MediaScheduled Task1Port MonitorsScheduled Task1Disabling Security Tools1Credentials in Files1File and Directory Discovery1Remote ServicesClipboard Data1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery112Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information3Credentials in FilesQuery Registry1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceApplication Window Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Network Configuration Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Roaming\RuCIScdZwHJ.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 1PAYMENT COPY.exeJoe Sandbox ML: detected

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
Source: unknownDNS query: name: checkip.amazonaws.com
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 3.224.145.145 3.224.145.145
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.amazonaws.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16855147623.0000000008780000.00000004.00000001.sdmpString found in binary or memory: GMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: kFMSN Schweiz | Sign in Hotmail, Outlook Login, Windows Live, Office 365 equals www.hotmail.com (Hotmail)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: checkip.amazonaws.com
Urls found in memory or binary dataShow sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837671217.0000000002BF2000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com/
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837671217.0000000002BF2000.00000004.00000001.sdmpString found in binary or memory: http://checkip.amazonaws.com4
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837671217.0000000002BF2000.00000004.00000001.sdmpString found in binary or memory: http://checkip.us-east-1.prod.check-ip.aws.a2z.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 1PAYMENT COPY.exe, 00000000.00000002.16855147623.0000000008780000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836134958.0000000000D2D000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico~
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
Source: 1PAYMENT COPY.exe, 00000000.00000002.16855147623.0000000008780000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEMp
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/
Source: 1PAYMENT COPY.exe, 00000000.00000002.16837272077.0000000002AC8000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836134958.0000000000D2D000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMx
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845440612.0000000006B82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWindow created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Yara detected Agent Tesla TrojanShow sources
Source: Yara matchFile source: 00000000.00000002.16837188170.0000000002A93000.00000004.00000001.sdmp, type: MEMORY
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 1PAYMENT COPY.exe
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:120:WilError_01
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_010AE610
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_010AC1C4
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_010AE603
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_071023A8
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07397700
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398E38
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073986A0
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07397D00
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07393C78
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07394128
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073929E8
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07397008
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398070
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07390040
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739A731
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07399FBB
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07396FF9
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398E29
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07394650
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07394640
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739A643
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398690
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073976F0
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07399EEC
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AD27
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AD6F
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07392D60
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07392D51
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07399D4C
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AC3C
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07393C68
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739BC57
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07397CF1
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739ACC9
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AB67
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739ABAF
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073933A0
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AA92
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739AADA
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07396908
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398E38
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073929D8
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0739001F
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07395878
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398060
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07395867
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_073968F8
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: String function: 07397498 appears 47 times
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859332279.000000000B8F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16838636700.00000000039E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16838636700.00000000039E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNOPNXYASPEGHOYGAUGCSQWNLEZQDTKDDDFXHVPBK_20190715022059277.exe4 vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16845877999.0000000006F60000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCyaX-Sharp.exe6 vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16858348468.000000000B650000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859300456.000000000B8E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000000.16415616257.000000000079C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMinesweeper.exe8 vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16846556699.0000000007420000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exe, 00000000.00000002.16846556699.0000000007420000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 1PAYMENT COPY.exe
Source: 1PAYMENT COPY.exeBinary or memory string: OriginalFilenameMinesweeper.exe8 vs 1PAYMENT COPY.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Users\user\Desktop\1PAYMENT COPY.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeSection loaded: wow64log.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wow64log.dll
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: 1PAYMENT COPY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: RuCIScdZwHJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@2/1
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\RuCIScdZwHJ.exeJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9651.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 1PAYMENT COPY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\1PAYMENT COPY.exe 'C:\Users\user\Desktop\1PAYMENT COPY.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RuCIScdZwHJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp9651.tmp'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RuCIScdZwHJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp9651.tmp'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
PE file contains a COM descriptor data directoryShow sources
Source: 1PAYMENT COPY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: 1PAYMENT COPY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: 1PAYMENT COPY.exe, 00000000.00000002.16838636700.00000000039E0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_0071106F push edi; retf
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_007110BE push edi; retf
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_00712FBF push eax; ret
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07396D88 push edi; retf
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.90620961185
Source: initial sampleStatic PE information: section name: .text entropy: 7.90620961185

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\RuCIScdZwHJ.exeJump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RuCIScdZwHJ' /XML 'C:\Users\user\AppData\Local\Temp\tmp9651.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeThread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWindow / User API: threadDelayed 1298
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWindow / User API: threadDelayed 17722
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exe TID: 3512Thread sleep time: -53819s >= -30000s
Source: C:\Users\user\Desktop\1PAYMENT COPY.exe TID: 2128Thread sleep time: -47961534591644804s >= -30000s
Source: C:\Users\user\Desktop\1PAYMENT COPY.exe TID: 3512Thread sleep time: -30000s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16855147623.0000000008780000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859332279.000000000B8F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II,SOFTWARE\Microsoft\Windows Defender\Features
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: vmware
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859332279.000000000B8F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859332279.000000000B8F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836955971.00000000029E0000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 1PAYMENT COPY.exe, 00000000.00000002.16859332279.000000000B8F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeSystem information queried: KernelDebuggerInformation
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeCode function: 0_2_07398E38 KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,KiUserExceptionDispatcher,
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836792163.0000000001490000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836792163.0000000001490000.00000002.00000001.sdmpBinary or memory string: Progman
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836792163.0000000001490000.00000002.00000001.sdmpBinary or memory string: Program Manager6
Source: 1PAYMENT COPY.exe, 00000000.00000002.16836792163.0000000001490000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Users\user\Desktop\1PAYMENT COPY.exe VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Desktop\1PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Behavior Graph

Simulations

Behavior and APIs

TimeTypeDescription
05:33:10API Interceptor4x Sleep call for process: 1PAYMENT COPY.exe modified

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
1PAYMENT COPY.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\RuCIScdZwHJ.exe100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/bThe0%Google Safe Browsingsafe
http://www.tiro.com0%virustotalBrowse
http://www.tiro.com0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%virustotalBrowse
http://www.goodfont.co.kr0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%Google Safe Browsingsafe
http://www.carterandcone.coml0%Avira URL Cloudsafe
http://www.carterandcone.coml0%Google Safe Browsingsafe
http://www.sajatypeworks.com0%virustotalBrowse
http://www.sajatypeworks.com0%Avira URL Cloudsafe
http://www.sajatypeworks.com0%Google Safe Browsingsafe
http://checkip.amazonaws.com40%Avira URL Cloudsafe
http://www.typography.netD0%Avira URL Cloudsafe
http://www.typography.netD0%Google Safe Browsingsafe
http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
http://www.founder.com.cn/cn/cThe0%Google Safe Browsingsafe
http://fontfabrik.com0%virustotalBrowse
http://fontfabrik.com0%Avira URL Cloudsafe
http://fontfabrik.com0%Google Safe Browsingsafe
http://www.founder.com.cn/cn0%virustotalBrowse
http://www.founder.com.cn/cn0%Avira URL Cloudsafe
http://www.founder.com.cn/cn0%Google Safe Browsingsafe
http://www.jiyu-kobo.co.jp/0%virustotalBrowse
http://www.jiyu-kobo.co.jp/0%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%Google Safe Browsingsafe
http://www.sandoll.co.kr0%virustotalBrowse
http://www.sandoll.co.kr0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%Google Safe Browsingsafe
http://www.zhongyicts.com.cn1%virustotalBrowse
http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
http://www.zhongyicts.com.cn0%Google Safe Browsingsafe
http://www.sakkal.com0%virustotalBrowse
http://www.sakkal.com0%Avira URL Cloudsafe
http://www.sakkal.com0%Google Safe Browsingsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.16837188170.0000000002A93000.00000004.00000001.sdmpJoeSecurity_Agenttesla_Smtp_VariantYara detected Agent Tesla TrojanJoe Security

    Unpacked PEs

    No yara matches

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    3.224.145.14512Vsl stowage&particulars.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    30REQUEST FOR SUPPLY .exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    22PI 38848484#.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    21MX01170553.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    37Security Deposit_PDF.jsGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    55invoice_output7D89FD0.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    50payment details.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    49Swift-Payment_MT103.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    66PO_63526272.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    3shipping document.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    4R3100121910.pdf.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    35Revised Invoice.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    38Orderprocessing.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    27SOA.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    27Purchase_Order-MOQ7855.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    25RFQ 6000093355.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    1Pro quotation ref 900299384.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    1PI # WO # 2019000, 321-122.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    18RFQ NEW ORDER #2019-003746625465300017.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/
    9LDnEp7MUf.exeGet hashmaliciousBrowse
    • checkip.amazonaws.com/

    Domains

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    checkip.us-east-1.prod.check-ip.aws.a2z.comPayroll.xlsGet hashmaliciousBrowse
    • 52.202.139.131
    18Scan_pda_007765_pdf.exeGet hashmaliciousBrowse
    • 52.200.125.74
    62Confirmation_2022019.pdf.exeGet hashmaliciousBrowse
    • 34.233.102.38
    NEW ORDER.exeGet hashmaliciousBrowse
    • 34.196.82.108
    24MO85474.exeGet hashmaliciousBrowse
    • 34.233.102.38
    5PO#20190314-9938-33033-83(009).exeGet hashmaliciousBrowse
    • 52.200.125.74
    937389-1993-2087.vbsGet hashmaliciousBrowse
    • 34.233.102.38
    285100727000782928_pdf.exeGet hashmaliciousBrowse
    • 18.233.42.138
    19RFQ-2010319.exeGet hashmaliciousBrowse
    • 52.202.139.131
    41DHL Original Invoice#U22c5pdf.exeGet hashmaliciousBrowse
    • 34.196.82.108
    MT COPY USD.exeGet hashmaliciousBrowse
    • 34.196.82.108
    63GH524869.exeGet hashmaliciousBrowse
    • 34.233.102.38
    57RFQ(ORDERLIST)doc..exeGet hashmaliciousBrowse
    • 52.200.125.74
    Order Kernel_2019_quotation rqt.docGet hashmaliciousBrowse
    • 34.196.82.108
    35Purchase Order_signed.exeGet hashmaliciousBrowse
    • 34.196.82.108
    Lolly@server_Protected.jp.exeGet hashmaliciousBrowse
    • 34.196.82.108
    63Invoice205100012379.exeGet hashmaliciousBrowse
    • 52.202.139.131
    25Document.exeGet hashmaliciousBrowse
    • 34.196.82.108
    27Colour and PP Sample.exeGet hashmaliciousBrowse
    • 52.6.79.229
    17COLOUR AND PP SAMPLE..exeGet hashmaliciousBrowse
    • 52.6.79.229

    ASN

    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    unknownrequest.docGet hashmaliciousBrowse
    • 192.168.0.44
    FERK444259.docGet hashmaliciousBrowse
    • 192.168.0.44
    b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
    • 192.168.0.40
    Setup.exeGet hashmaliciousBrowse
    • 192.168.0.40
    base64.pdfGet hashmaliciousBrowse
    • 192.168.0.40
    file.pdfGet hashmaliciousBrowse
    • 192.168.0.40
    Spread sheet 2.pdfGet hashmaliciousBrowse
    • 192.168.0.40
    request_08.30.docGet hashmaliciousBrowse
    • 192.168.0.44
    P_2038402.xlsxGet hashmaliciousBrowse
    • 192.168.0.44
    48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
    • 192.168.0.22
    seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
    • 192.168.0.40
    Adm_Boleto.via2.comGet hashmaliciousBrowse
    • 192.168.0.40
    QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
    • 192.168.0.40
    pptxb.pdfGet hashmaliciousBrowse
    • 192.168.0.40

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.