Analysis Report payment details.exe

Overview

General Information

Sample Name: payment details.exe
Analysis ID: 383908
MD5: 55191839573ac8fd25655b3561286bc1
SHA1: b9e85e2ab05e4b027a3f522fd690b097aa4a4aad
SHA256: e81d917830f3fabca0557b899267ebe84ecc6fcbb5e1cd649284d1370d8a8876
Tags: AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.payment details.exe.3e052e8.2.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ho@almasroor.com042264528mail.almasroor.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe ReversingLabs: Detection: 33%
Multi AV Scanner detection for submitted file
Source: payment details.exe Virustotal: Detection: 31% Perma Link
Source: payment details.exe ReversingLabs: Detection: 33%
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.payment details.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 18.2.kprUEGC.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 19.2.kprUEGC.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: payment details.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: payment details.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49764 -> 69.65.3.206:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49764 -> 69.65.3.206:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-GIGENETUS ASN-GIGENETUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49764 -> 69.65.3.206:587
Source: unknown DNS traffic detected: queries for: mail.almasroor.com
Source: payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: payment details.exe, 00000005.00000002.923488347.0000000002D15000.00000004.00000001.sdmp String found in binary or memory: http://almasroor.com
Source: kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp String found in binary or memory: http://bQxorv.com
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: payment details.exe, 00000005.00000002.923488347.0000000002D15000.00000004.00000001.sdmp String found in binary or memory: http://mail.almasroor.com
Source: payment details.exe, 00000005.00000002.923358633.0000000002CD9000.00000004.00000001.sdmp String found in binary or memory: http://uDoQcdZGpyqzP0ZwyV.com
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: payment details.exe, 00000000.00000002.694767298.0000000005BE0000.00000002.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.802621284.0000000005820000.00000002.00000001.sdmp, kprUEGC.exe, 00000010.00000002.823184055.0000000005B40000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%$
Source: kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: kprUEGC.exe, payment details.exe String found in binary or memory: https://github.com/michel-pi/EasyBot.Net
Source: payment details.exe, 00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmp, payment details.exe, 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.795750062.00000000037E9000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.816268269.0000000003C09000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.817039638.0000000000402000.00000040.00000001.sdmp, kprUEGC.exe, 00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: payment details.exe, 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, kprUEGC.exe, 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, kprUEGC.exe, 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\payment details.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Window created: window name: CLIPBRDWNDCLASS

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\payment details.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 5.2.payment details.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE39C872Eu002d8914u002d48C3u002dBF35u002dA8B0A9168404u007d/u00311446D9Eu002dE05Fu002d4878u002dAF9Eu002d244D020F16BC.cs Large array initialization: .cctor: array initializer size 11951
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: payment details.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010CC204 0_2_010CC204
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010CE623 0_2_010CE623
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010CE630 0_2_010CE630
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A2068 0_2_012A2068
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A0040 0_2_012A0040
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A5720 0_2_012A5720
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A59D0 0_2_012A59D0
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A0006 0_2_012A0006
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A2059 0_2_012A2059
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A4279 0_2_012A4279
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A4288 0_2_012A4288
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A2548 0_2_012A2548
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A5420 0_2_012A5420
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A5412 0_2_012A5412
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A1716 0_2_012A1716
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A5716 0_2_012A5716
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A1760 0_2_012A1760
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A29F8 0_2_012A29F8
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A59CA 0_2_012A59CA
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A2A08 0_2_012A2A08
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A2FF8 0_2_012A2FF8
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A2FC5 0_2_012A2FC5
Source: C:\Users\user\Desktop\payment details.exe Code function: 5_2_00E047A0 5_2_00E047A0
Source: C:\Users\user\Desktop\payment details.exe Code function: 5_2_00E04790 5_2_00E04790
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_00CFC204 15_2_00CFC204
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_00CFE620 15_2_00CFE620
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_00CFE630 15_2_00CFE630
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02612068 15_2_02612068
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02610040 15_2_02610040
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02615720 15_2_02615720
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_026159D0 15_2_026159D0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02614282 15_2_02614282
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02614285 15_2_02614285
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02614288 15_2_02614288
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02612059 15_2_02612059
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02610028 15_2_02610028
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02610006 15_2_02610006
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02611760 15_2_02611760
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02612760 15_2_02612760
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02612768 15_2_02612768
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_0261175B 15_2_0261175B
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02615710 15_2_02615710
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02615716 15_2_02615716
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02615718 15_2_02615718
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_0261571C 15_2_0261571C
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02615420 15_2_02615420
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02615412 15_2_02615412
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02615418 15_2_02615418
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02612548 15_2_02612548
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02612A08 15_2_02612A08
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_026129F8 15_2_026129F8
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_026159CA 15_2_026159CA
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_026159CC 15_2_026159CC
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02612FF8 15_2_02612FF8
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02612FC5 15_2_02612FC5
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_04DDD990 15_2_04DDD990
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_0100C204 16_2_0100C204
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_0100E620 16_2_0100E620
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_0100E630 16_2_0100E630
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B82068 16_2_02B82068
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B80040 16_2_02B80040
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B859D0 16_2_02B859D0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B84288 16_2_02B84288
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B84279 16_2_02B84279
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B80006 16_2_02B80006
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B82059 16_2_02B82059
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B81760 16_2_02B81760
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B8175D 16_2_02B8175D
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B85420 16_2_02B85420
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B85412 16_2_02B85412
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B82548 16_2_02B82548
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B82A08 16_2_02B82A08
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B829F8 16_2_02B829F8
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B859CA 16_2_02B859CA
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B82FF8 16_2_02B82FF8
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B82FC5 16_2_02B82FC5
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D89CE0 16_2_06D89CE0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8B4B0 16_2_06D8B4B0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8C440 16_2_06D8C440
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8ADB0 16_2_06D8ADB0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8BA70 16_2_06D8BA70
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D83A30 16_2_06D83A30
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D84B78 16_2_06D84B78
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D87B13 16_2_06D87B13
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8D300 16_2_06D8D300
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D890B0 16_2_06D890B0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D84978 16_2_06D84978
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8F6F0 16_2_06D8F6F0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8F6E1 16_2_06D8F6E1
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8F4C8 16_2_06D8F4C8
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8F4B9 16_2_06D8F4B9
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8B4A0 16_2_06D8B4A0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8C430 16_2_06D8C430
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8AD57 16_2_06D8AD57
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8F2D2 16_2_06D8F2D2
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8F2E0 16_2_06D8F2E0
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8D2E7 16_2_06D8D2E7
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8BA60 16_2_06D8BA60
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8BA22 16_2_06D8BA22
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D88868 16_2_06D88868
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D891C8 16_2_06D891C8
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8A180 16_2_06D8A180
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8E150 16_2_06D8E150
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8A170 16_2_06D8A170
Sample file is different than original file name gathered from version info
Source: payment details.exe Binary or memory string: OriginalFilename vs payment details.exe
Source: payment details.exe, 00000000.00000002.698248951.0000000007C21000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs payment details.exe
Source: payment details.exe, 00000000.00000002.698248951.0000000007C21000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameelxZSujHMHuHJxbAMwLHIgWJxBXR.exe4 vs payment details.exe
Source: payment details.exe, 00000000.00000002.690812300.0000000002C51000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMetroFramework.dll> vs payment details.exe
Source: payment details.exe, 00000000.00000002.697919901.00000000077D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs payment details.exe
Source: payment details.exe Binary or memory string: OriginalFilename vs payment details.exe
Source: payment details.exe, 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameelxZSujHMHuHJxbAMwLHIgWJxBXR.exe4 vs payment details.exe
Source: payment details.exe, 00000005.00000003.898574525.0000000000E9D000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameclr.dllT vs payment details.exe
Source: payment details.exe, 00000005.00000002.917609197.0000000000C00000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx vs payment details.exe
Source: payment details.exe Binary or memory string: OriginalFilename vs payment details.exe
Uses 32bit PE files
Source: payment details.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: payment details.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: kprUEGC.exe.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5.2.payment details.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.payment details.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@9/6@2/1
Source: C:\Users\user\Desktop\payment details.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment details.exe.log Jump to behavior
Source: payment details.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\payment details.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment details.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment details.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: payment details.exe Virustotal: Detection: 31%
Source: payment details.exe ReversingLabs: Detection: 33%
Source: C:\Users\user\Desktop\payment details.exe File read: C:\Users\user\Desktop\payment details.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\payment details.exe 'C:\Users\user\Desktop\payment details.exe'
Source: C:\Users\user\Desktop\payment details.exe Process created: C:\Users\user\Desktop\payment details.exe {path}
Source: unknown Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Source: unknown Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 'C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe'
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path}
Source: C:\Users\user\Desktop\payment details.exe Process created: C:\Users\user\Desktop\payment details.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: payment details.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: payment details.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: payment details.exe, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.2.payment details.exe.800000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.0.payment details.exe.800000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: kprUEGC.exe.5.dr, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 5.2.payment details.exe.620000.1.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 5.0.payment details.exe.620000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 15.0.kprUEGC.exe.3c0000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 15.2.kprUEGC.exe.3c0000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 16.2.kprUEGC.exe.7f0000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 16.0.kprUEGC.exe.7f0000.0.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 18.2.kprUEGC.exe.c40000.1.unpack, ImageManager/Main.cs .Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C4120 push ecx; ret 0_2_010C4122
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C41E3 push esp; ret 0_2_010C41EA
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C40C0 push ecx; ret 0_2_010C40C2
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C40C3 push ecx; ret 0_2_010C40CA
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C4219 push ebp; ret 0_2_010C421A
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C42D0 push edi; ret 0_2_010C42D2
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C42D3 push edi; ret 0_2_010C42D6
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C444B push edi; ret 0_2_010C4452
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C4442 push edi; ret 0_2_010C444A
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C4490 push edi; ret 0_2_010C4492
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010C4493 push edi; ret 0_2_010C449A
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010CB18F pushfd ; ret 0_2_010CB19A
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010CB1F1 pushfd ; ret 0_2_010CB1F2
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010CB1F3 pushfd ; ret 0_2_010CB1FA
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010CB30F pushfd ; ret 0_2_010CB312
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010CB313 pushfd ; ret 0_2_010CB31A
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010CB3C8 pushfd ; ret 0_2_010CB3CA
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_010CB250 pushfd ; ret 0_2_010CB252
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012A4668 pushfd ; ret 0_2_012A4669
Source: C:\Users\user\Desktop\payment details.exe Code function: 0_2_012AA6E5 push FFFFFF8Bh; iretd 0_2_012AA6E7
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_02614668 pushfd ; ret 15_2_02614669
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_0261A6DA push dword ptr [edx+ebp*2-75h]; iretd 15_2_0261A6E7
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_04DD1E80 push eax; mov dword ptr [esp], ecx 15_2_04DD1E84
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 15_2_04DD1E6F push eax; mov dword ptr [esp], ecx 15_2_04DD1E84
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B8A6E5 push FFFFFF8Bh; iretd 16_2_02B8A6E7
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_02B84668 pushfd ; ret 16_2_02B84669
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8AD17 push es; retf 16_2_06D8AD54
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Code function: 16_2_06D8D25B push edx; retf 16_2_06D8D265
Source: initial sample Static PE information: section name: .text entropy: 7.89257156143
Source: initial sample Static PE information: section name: .text entropy: 7.89257156143

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\payment details.exe File created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Jump to dropped file
Source: C:\Users\user\Desktop\payment details.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGC Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\payment details.exe File opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\payment details.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: payment details.exe PID: 7008, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 6692, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 7132, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment details.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment details.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: payment details.exe, 00000000.00000002.699002431.0000000007F0C000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.809737744.00000000074CC000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: payment details.exe, 00000000.00000002.699002431.0000000007F0C000.00000004.00000001.sdmp, kprUEGC.exe, 0000000F.00000002.809737744.00000000074CC000.00000004.00000001.sdmp, kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\payment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\payment details.exe Window / User API: threadDelayed 3012 Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Window / User API: threadDelayed 6814 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Window / User API: threadDelayed 1107 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Window / User API: threadDelayed 8741 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\payment details.exe TID: 7012 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe TID: 7028 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe TID: 6712 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe TID: 6712 Thread sleep time: -29514790517935264s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe TID: 6784 Thread sleep count: 3012 > 30 Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe TID: 6784 Thread sleep count: 6814 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6688 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6716 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 7128 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 6760 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5508 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5396 Thread sleep count: 201 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 5396 Thread sleep count: 197 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1284 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1868 Thread sleep count: 1107 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe TID: 1868 Thread sleep count: 8741 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment details.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment details.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\payment details.exe Thread delayed: delay time: 31500 Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 31500 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 31500 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: vmware
Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: kprUEGC.exe, 00000010.00000002.828189667.0000000007A4D000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: payment details.exe, 00000005.00000002.927992446.00000000062B0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\payment details.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\payment details.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\payment details.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: payment details.exe, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 0.2.payment details.exe.800000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 0.0.payment details.exe.800000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: kprUEGC.exe.5.dr, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 5.2.payment details.exe.400000.0.unpack, A/b2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 5.2.payment details.exe.620000.1.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 5.0.payment details.exe.620000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 15.0.kprUEGC.exe.3c0000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 15.2.kprUEGC.exe.3c0000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 16.2.kprUEGC.exe.7f0000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 16.0.kprUEGC.exe.7f0000.0.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Source: 18.2.kprUEGC.exe.c40000.1.unpack, ImageManager/PInvoke/WinApi.cs Reference to suspicious API methods: ('InternalLoadLibraryW', 'LoadLibraryW@kernel32.dll'), ('InternalGetProcAddress', 'GetProcAddress@kernel32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\payment details.exe Memory written: C:\Users\user\Desktop\payment details.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Memory written: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Memory written: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe base: 400000 value starts with: 4D5A Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\payment details.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\payment details.exe Process created: C:\Users\user\Desktop\payment details.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path} Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Process created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe {path} Jump to behavior
Source: payment details.exe, 00000005.00000002.920110142.00000000013D0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.918921239.0000000001BF0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: payment details.exe, 00000005.00000002.920110142.00000000013D0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.918921239.0000000001BF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: payment details.exe, 00000005.00000002.920110142.00000000013D0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.918921239.0000000001BF0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: payment details.exe, 00000005.00000002.920110142.00000000013D0000.00000002.00000001.sdmp, kprUEGC.exe, 00000013.00000002.918921239.0000000001BF0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Users\user\Desktop\payment details.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Users\user\Desktop\payment details.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\payment details.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.816268269.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.795750062.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.817039638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 816, type: MEMORY
Source: Yara match File source: Process Memory Space: payment details.exe PID: 7008, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 6692, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 6932, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 7132, type: MEMORY
Source: Yara match File source: Process Memory Space: payment details.exe PID: 1320, type: MEMORY
Source: Yara match File source: 0.2.payment details.exe.3e052e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.kprUEGC.exe.39952e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.payment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.kprUEGC.exe.3db52e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment details.exe.3e052e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.kprUEGC.exe.39952e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.kprUEGC.exe.3db52e8.2.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\payment details.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\payment details.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\payment details.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\payment details.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\payment details.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.920699036.00000000029B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 816, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 6932, type: MEMORY
Source: Yara match File source: Process Memory Space: payment details.exe PID: 1320, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.916754002.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.916752082.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.690986558.0000000003C59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.919584190.00000000031F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.816268269.0000000003C09000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.795750062.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.818572720.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.817039638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 816, type: MEMORY
Source: Yara match File source: Process Memory Space: payment details.exe PID: 7008, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 6692, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 6932, type: MEMORY
Source: Yara match File source: Process Memory Space: kprUEGC.exe PID: 7132, type: MEMORY
Source: Yara match File source: Process Memory Space: payment details.exe PID: 1320, type: MEMORY
Source: Yara match File source: 0.2.payment details.exe.3e052e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.kprUEGC.exe.39952e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.payment details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.kprUEGC.exe.3db52e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment details.exe.3e052e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.kprUEGC.exe.39952e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.kprUEGC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.kprUEGC.exe.3db52e8.2.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383908 Sample: payment details.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 9 other signatures 2->49 6 payment details.exe 3 2->6         started        10 kprUEGC.exe 3 2->10         started        12 kprUEGC.exe 2 2->12         started        process3 file4 23 C:\Users\user\...\payment details.exe.log, ASCII 6->23 dropped 51 Injects a PE file into a foreign processes 6->51 14 payment details.exe 2 5 6->14         started        53 Multi AV Scanner detection for dropped file 10->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->57 19 kprUEGC.exe 2 10->19         started        21 kprUEGC.exe 2 12->21         started        signatures5 process6 dnsIp7 31 almasroor.com 69.65.3.206, 49764, 587 ASN-GIGENETUS United States 14->31 33 mail.almasroor.com 14->33 25 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 14->25 dropped 27 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 Tries to harvest and steal ftp login credentials 14->39 41 3 other signatures 14->41 29 C:\Windows\System32\drivers\etc\hosts, ASCII 21->29 dropped file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
69.65.3.206
almasroor.com United States
32181 ASN-GIGENETUS true

Contacted Domains

Name IP Active
almasroor.com 69.65.3.206 true
mail.almasroor.com unknown unknown