Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT ADVICE.pdf.exe

Overview

General Information

Sample Name:PAYMENT ADVICE.pdf.exe
Analysis ID:255456
MD5:1275d29213c2580894371739beb16148
SHA1:5591bfdbad8f70d177b2889f0242d858fafc7750
SHA256:20e1f222ebae73bc71db60552d3733124fc5a2ce835ca2dde406c34217e6a061

Most interesting Screenshot:

Detection

AgentTesla Matiex
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected Matiex Keylogger
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
PAYMENT ADVICE.pdf.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61d1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.1293551923.0000000000E72000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61b1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000002.1294328044.0000000000762000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61b1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000002.00000002.1540539999.0000000000E72000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61b1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000000.1273893401.0000000000762000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61b1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000001.00000000.1292605217.0000000000452000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61b1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Click to see the 10 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
2.0.PAYMENT ADVICE.pdf.exe.e70000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61d1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
1.0.PAYMENT ADVICE.pdf.exe.450000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61d1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0.2.PAYMENT ADVICE.pdf.exe.760000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61d1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0.0.PAYMENT ADVICE.pdf.exe.760000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61d1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
1.2.PAYMENT ADVICE.pdf.exe.450000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x61d1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Click to see the 2 entries

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Double ExtensionShow sources
Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe, NewProcessName: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe, OriginalFileName: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe' , ParentImage: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe, ParentProcessId: 6832, ProcessCommandLine: {path}, ProcessId: 6884

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: PAYMENT ADVICE.pdf.exeJoe Sandbox ML: detected

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Uses the Telegram API (likely for C&C communication)Show sources
Source: unknownDNS query: name: api.telegram.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542951537.0000000003442000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudFlareIncECCCA-2.crt0
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542768032.00000000033D9000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.com
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542734359.00000000033C9000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542615007.0000000003351000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542654466.0000000003372000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org/HB;j
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542734359.00000000033C9000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.org4
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542881930.0000000003425000.00000004.00000001.sdmp, PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542768032.00000000033D9000.00000004.00000001.sdmpString found in binary or memory: http://checkip.dyndns.orgD8
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudFlareIncECCCA2.crl06
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546310627.0000000006AE0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudFlareIncECCCA2.crl0L
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542768032.00000000033D9000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546310627.0000000006AE0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542654466.0000000003372000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1298495836.0000000005B10000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542951537.0000000003442000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542951537.0000000003442000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542615007.0000000003351000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactu
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542951537.0000000003442000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot962940633:AAFWOS5PMSGq49vE3MQVWuNLcoWDhmmugxg/sendDocument?chat_id=13926
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542951537.0000000003442000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org4
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542768032.00000000033D9000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542768032.00000000033D9000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542881930.0000000003425000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/91.132.136.174
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542768032.00000000033D9000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/91.132.136.174x
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542615007.0000000003351000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542768032.00000000033D9000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app4
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542881930.0000000003425000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.appD8
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542615007.0000000003351000.00000004.00000001.sdmpString found in binary or memory: https://i.imgur.com/GJD7Q5y.png
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542881930.0000000003425000.00000004.00000001.sdmp, PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542768032.00000000033D9000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1546347813.0000000006AFE000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542897819.000000000342E000.00000004.00000001.sdmpString found in binary or memory: https://www.geodatatool.com/en/?ip=
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542897819.000000000342E000.00000004.00000001.sdmpString found in binary or memory: https://www.geodatatool.com/en/?ip=91.132.136.174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)Show sources
Source: PAYMENT ADVICE.pdf.exeStatic file information: Suspicious name
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: PAYMENT ADVICE.pdf.exe
Source: initial sampleStatic PE information: Filename: PAYMENT ADVICE.pdf.exe
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 0_2_00FEC9E40_2_00FEC9E4
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 0_2_00FEEDB00_2_00FEEDB0
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 0_2_00FEEDA00_2_00FEEDA0
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 2_2_019D05C02_2_019D05C0
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 2_2_019DEFD82_2_019DEFD8
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 2_2_019DF3202_2_019DF320
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 2_2_019DFBF02_2_019DFBF0
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 2_2_019D05B82_2_019D05B8
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 2_2_019D10782_2_019D1078
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 2_2_019D10682_2_019D1068
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 2_2_019D15902_2_019D1590
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 2_2_019D158C2_2_019D158C
Source: PAYMENT ADVICE.pdf.exeBinary or memory string: OriginalFilename vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1295094955.0000000002A61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1295345394.0000000003B05000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1295345394.0000000003B05000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1295345394.0000000003B05000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZ.exe4 vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1294328044.0000000000762000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameamrce.exe< vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exeBinary or memory string: OriginalFilename vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000001.00000000.1292605217.0000000000452000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameamrce.exe< vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exeBinary or memory string: OriginalFilename vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000000.1293551923.0000000000E72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameamrce.exe< vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1545585959.00000000064F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1540134813.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameVNXT.exe* vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1540134813.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZ.exe4 vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1540748916.00000000012F6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exeBinary or memory string: OriginalFilenameamrce.exe< vs PAYMENT ADVICE.pdf.exe
Source: PAYMENT ADVICE.pdf.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000002.00000000.1293551923.0000000000E72000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000000.00000002.1294328044.0000000000762000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000002.00000002.1540539999.0000000000E72000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000000.00000000.1273893401.0000000000762000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000001.00000000.1292605217.0000000000452000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 00000001.00000002.1292949047.0000000000452000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: Process Memory Space: PAYMENT ADVICE.pdf.exe PID: 6884, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: Process Memory Space: PAYMENT ADVICE.pdf.exe PID: 6832, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: Process Memory Space: PAYMENT ADVICE.pdf.exe PID: 6892, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 2.0.PAYMENT ADVICE.pdf.exe.e70000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 1.0.PAYMENT ADVICE.pdf.exe.450000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 0.2.PAYMENT ADVICE.pdf.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 0.0.PAYMENT ADVICE.pdf.exe.760000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 1.2.PAYMENT ADVICE.pdf.exe.450000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: 2.2.PAYMENT ADVICE.pdf.exe.e70000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: PAYMENT ADVICE.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@5/3
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT ADVICE.pdf.exe.logJump to behavior
Source: PAYMENT ADVICE.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe 'C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe'
Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe {path}
Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe {path}
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess created: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess created: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: PAYMENT ADVICE.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PAYMENT ADVICE.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1295345394.0000000003B05000.00000004.00000001.sdmp, PAYMENT ADVICE.pdf.exe, 00000002.00000002.1540134813.0000000000402000.00000040.00000001.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1295345394.0000000003B05000.00000004.00000001.sdmp, PAYMENT ADVICE.pdf.exe, 00000002.00000002.1540134813.0000000000402000.00000040.00000001.sdmp
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 0_2_00767FC0 push es; ret 0_2_007680A0
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 1_2_00457FC0 push es; ret 1_2_004580A0
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeCode function: 2_2_00E77FC0 push es; ret 2_2_00E780A0
Source: initial sampleStatic PE information: section name: .text entropy: 7.7976832482

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: pdf.exeStatic PE information: PAYMENT ADVICE.pdf.exe
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3Show sources
Source: Yara matchFile source: Process Memory Space: PAYMENT ADVICE.pdf.exe PID: 6832, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1305187088.0000000008F36000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1305187088.0000000008F36000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe TID: 6836Thread sleep time: -41000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe TID: 6852Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1545585959.00000000064F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1305187088.0000000008F36000.00000004.00000001.sdmpBinary or memory string: vmware
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1305187088.0000000008F36000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1305187088.0000000008F36000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1305187088.0000000008F36000.00000004.00000001.sdmpBinary or memory string: VMWARE
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1305187088.0000000008F36000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1545585959.00000000064F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1545585959.00000000064F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1305187088.0000000008F36000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1305187088.0000000008F36000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: PAYMENT ADVICE.pdf.exe, 00000000.00000002.1305187088.0000000008F36000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1545585959.00000000064F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeMemory written: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess created: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeProcess created: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe {path}Jump to behavior
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542265560.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542265560.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542265560.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: PAYMENT ADVICE.pdf.exe, 00000002.00000002.1542265560.0000000001DF0000.00000002.00000001.sdmpBinary or memory string: Program Manager@
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT ADVICE.pdf.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAY