Windows Analysis Report payment receipt.pdf.exe

Overview

General Information

Sample Name: payment receipt.pdf.exe
Analysis ID: 452630
MD5: 0353af1ae14e14bf804fb78a04ae8f42
SHA1: 250aa0d3f7b16d7ff122f8ad16febb9213074676
SHA256: 746073d0f2958ace46267fa4ed5badc249b7e3a55d76c2b230c0a8b457caf6a5
Tags: agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 16.2.payment receipt.pdf.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "clintongodgracelog@vivaldi.net", "Password": "858540506070", "Host": "smtp.vivaldi.net"}
Multi AV Scanner detection for submitted file
Source: payment receipt.pdf.exe ReversingLabs: Detection: 17%
Machine Learning detection for sample
Source: payment receipt.pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 16.2.payment receipt.pdf.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: payment receipt.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: payment receipt.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: payment receipt.pdf.exe, 00000010.00000002.512572986.00000000035D1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: payment receipt.pdf.exe, 00000010.00000002.512572986.00000000035D1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: payment receipt.pdf.exe, 00000010.00000002.512572986.00000000035D1000.00000004.00000001.sdmp String found in binary or memory: http://lUuhmE.com
Source: payment receipt.pdf.exe, 00000000.00000003.249048321.0000000005752000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: payment receipt.pdf.exe, 00000000.00000003.249141785.000000000576E000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: payment receipt.pdf.exe, 00000000.00000003.249250639.000000000576E000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com_;q_
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: payment receipt.pdf.exe, 00000000.00000003.249250639.000000000576E000.00000004.00000001.sdmp, payment receipt.pdf.exe, 00000000.00000003.249161630.000000000576E000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.como.
Source: payment receipt.pdf.exe, 00000000.00000003.249141785.000000000576E000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comtK;m_
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: payment receipt.pdf.exe, 00000000.00000003.334792428.0000000005749000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.como
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: payment receipt.pdf.exe, 00000000.00000003.248303442.000000000576B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: payment receipt.pdf.exe, 00000000.00000003.248303442.000000000576B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn);
Source: payment receipt.pdf.exe, 00000000.00000003.248303442.000000000576B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: payment receipt.pdf.exe, 00000000.00000003.248190261.000000000576A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cna-d
Source: payment receipt.pdf.exe, 00000000.00000003.248190261.000000000576A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnt
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp, payment receipt.pdf.exe, 00000000.00000003.250136735.000000000574C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: payment receipt.pdf.exe, 00000000.00000003.249581572.0000000005743000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/-A
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/4A
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/?A
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/PA-
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp, payment receipt.pdf.exe, 00000000.00000003.249742435.0000000005749000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/eAp
Source: payment receipt.pdf.exe, 00000000.00000003.250136735.000000000574C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-A
Source: payment receipt.pdf.exe, 00000000.00000003.250136735.000000000574C000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/wA
Source: payment receipt.pdf.exe, 00000000.00000003.249742435.0000000005749000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/l-s?A
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/lA
Source: payment receipt.pdf.exe, 00000000.00000003.249581572.0000000005743000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s;
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/sivIA
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/wA
Source: payment receipt.pdf.exe, 00000000.00000003.250041780.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/~A
Source: payment receipt.pdf.exe, 00000000.00000003.253389688.000000000123C000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: payment receipt.pdf.exe, 00000000.00000003.246669470.000000000123C000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: payment receipt.pdf.exe, 00000000.00000003.246669470.000000000123C000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com#
Source: payment receipt.pdf.exe, 00000000.00000003.246669470.000000000123C000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.coma-d
Source: payment receipt.pdf.exe, 00000000.00000003.246669470.000000000123C000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comcz
Source: payment receipt.pdf.exe, 00000000.00000003.246669470.000000000123C000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.como
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: payment receipt.pdf.exe, 00000000.00000003.247651331.000000000574B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comumDEj
Source: payment receipt.pdf.exe, 00000000.00000003.248805268.000000000576E000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comv4Y
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: payment receipt.pdf.exe, 00000000.00000002.345234141.0000000006410000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: payment receipt.pdf.exe, 00000000.00000003.249085596.000000000123C000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnASI
Source: payment receipt.pdf.exe, 00000000.00000003.249141785.000000000576E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn_;q_
Source: payment receipt.pdf.exe, 00000000.00000003.249085596.000000000123C000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn_tri
Source: payment receipt.pdf.exe, 00000000.00000003.249085596.000000000123C000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnard
Source: payment receipt.pdf.exe, 00000000.00000003.249141785.000000000576E000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cne
Source: payment receipt.pdf.exe, 00000010.00000002.512572986.00000000035D1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: payment receipt.pdf.exe, 00000000.00000002.339472229.0000000003C31000.00000004.00000001.sdmp, payment receipt.pdf.exe, 00000010.00000002.508971012.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: payment receipt.pdf.exe, 00000010.00000002.512572986.00000000035D1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: payment receipt.pdf.exe
Source: initial sample Static PE information: Filename: payment receipt.pdf.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A83010 0_2_02A83010
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A81068 0_2_02A81068
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A82180 0_2_02A82180
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A817B8 0_2_02A817B8
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A852E8 0_2_02A852E8
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A852D9 0_2_02A852D9
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A850A0 0_2_02A850A0
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A850B0 0_2_02A850B0
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A8103F 0_2_02A8103F
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A82170 0_2_02A82170
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A817A8 0_2_02A817A8
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A85738 0_2_02A85738
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A85748 0_2_02A85748
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A80480 0_2_02A80480
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A80473 0_2_02A80473
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A85589 0_2_02A85589
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A85598 0_2_02A85598
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A84A08 0_2_02A84A08
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A849FB 0_2_02A849FB
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A83E68 0_2_02A83E68
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A83E59 0_2_02A83E59
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A82F28 0_2_02A82F28
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A82F7A 0_2_02A82F7A
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A84CF9 0_2_02A84CF9
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_02A84D08 0_2_02A84D08
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_033B46A0 16_2_033B46A0
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_033B45B0 16_2_033B45B0
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_033BDA00 16_2_033BDA00
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_066794F8 16_2_066794F8
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_06677540 16_2_06677540
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_06676928 16_2_06676928
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_06676C70 16_2_06676C70
PE file contains strange resources
Source: payment receipt.pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: payment receipt.pdf.exe, 00000000.00000002.343107920.0000000005700000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameResource_Meter.dll> vs payment receipt.pdf.exe
Source: payment receipt.pdf.exe, 00000000.00000002.335231711.0000000000939000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBlXcK.exe2 vs payment receipt.pdf.exe
Source: payment receipt.pdf.exe, 00000000.00000002.336171837.0000000002C31000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLxttyXcERNGRDIuUojKjv.exe4 vs payment receipt.pdf.exe
Source: payment receipt.pdf.exe, 00000000.00000002.345977427.0000000007810000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs payment receipt.pdf.exe
Source: payment receipt.pdf.exe, 00000000.00000002.342109243.0000000005110000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs payment receipt.pdf.exe
Source: payment receipt.pdf.exe, 0000000F.00000000.333198162.0000000000329000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBlXcK.exe2 vs payment receipt.pdf.exe
Source: payment receipt.pdf.exe, 00000010.00000002.508971012.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameLxttyXcERNGRDIuUojKjv.exe4 vs payment receipt.pdf.exe
Source: payment receipt.pdf.exe, 00000010.00000000.334461953.0000000001009000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBlXcK.exe2 vs payment receipt.pdf.exe
Source: payment receipt.pdf.exe Binary or memory string: OriginalFilenameBlXcK.exe2 vs payment receipt.pdf.exe
Uses 32bit PE files
Source: payment receipt.pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: payment receipt.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@5/1@0/0
Source: C:\Users\user\Desktop\payment receipt.pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment receipt.pdf.exe.log Jump to behavior
Source: payment receipt.pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: payment receipt.pdf.exe ReversingLabs: Detection: 17%
Source: unknown Process created: C:\Users\user\Desktop\payment receipt.pdf.exe 'C:\Users\user\Desktop\payment receipt.pdf.exe'
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process created: C:\Users\user\Desktop\payment receipt.pdf.exe {path}
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process created: C:\Users\user\Desktop\payment receipt.pdf.exe {path}
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process created: C:\Users\user\Desktop\payment receipt.pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process created: C:\Users\user\Desktop\payment receipt.pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: payment receipt.pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: payment receipt.pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: payment receipt.pdf.exe, uNotepad/Form1.cs .Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.payment receipt.pdf.exe.860000.0.unpack, uNotepad/Form1.cs .Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.payment receipt.pdf.exe.860000.0.unpack, uNotepad/Form1.cs .Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.0.payment receipt.pdf.exe.250000.0.unpack, uNotepad/Form1.cs .Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.payment receipt.pdf.exe.250000.0.unpack, uNotepad/Form1.cs .Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 16.2.payment receipt.pdf.exe.f30000.1.unpack, uNotepad/Form1.cs .Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_008B77A1 push ecx; retf 0_2_008B77B0
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 0_2_008BB911 push ecx; iretd 0_2_008BB914
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 15_2_002AB911 push ecx; iretd 15_2_002AB914
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 15_2_002A77A1 push ecx; retf 15_2_002A77B0
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_00F877A1 push ecx; retf 16_2_00F877B0
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_00F8B911 push ecx; iretd 16_2_00F8B914
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_0667A61F push es; iretd 16_2_0667A63C
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_06678540 push es; ret 16_2_06678550
Source: initial sample Static PE information: section name: .text entropy: 7.70970997623

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: payment receipt.pdf.exe
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: payment receipt.pdf.exe PID: 5116, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment receipt.pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment receipt.pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Window / User API: threadDelayed 8903 Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Window / User API: threadDelayed 929 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\payment receipt.pdf.exe TID: 1392 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe TID: 4752 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe TID: 4756 Thread sleep count: 8903 > 30 Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe TID: 4756 Thread sleep count: 929 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\payment receipt.pdf.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: vmware
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: payment receipt.pdf.exe, 00000000.00000002.336256075.0000000002C98000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Memory written: C:\Users\user\Desktop\payment receipt.pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process created: C:\Users\user\Desktop\payment receipt.pdf.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Process created: C:\Users\user\Desktop\payment receipt.pdf.exe {path} Jump to behavior
Source: payment receipt.pdf.exe, 00000010.00000002.511969163.0000000001E80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: payment receipt.pdf.exe, 00000010.00000002.511969163.0000000001E80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: payment receipt.pdf.exe, 00000010.00000002.511969163.0000000001E80000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: payment receipt.pdf.exe, 00000010.00000002.511969163.0000000001E80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: payment receipt.pdf.exe, 00000010.00000002.511969163.0000000001E80000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Users\user\Desktop\payment receipt.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Users\user\Desktop\payment receipt.pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Code function: 16_2_06675A94 GetUserNameW, 16_2_06675A94
Source: C:\Users\user\Desktop\payment receipt.pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 16.2.payment receipt.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment receipt.pdf.exe.3d4ea58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment receipt.pdf.exe.3d4ea58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.508971012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.339472229.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 16.2.payment receipt.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment receipt.pdf.exe.3d4ea58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment receipt.pdf.exe.3d4ea58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.508971012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.512572986.00000000035D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.339472229.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: payment receipt.pdf.exe PID: 5800, type: MEMORY
Source: Yara match File source: Process Memory Space: payment receipt.pdf.exe PID: 5116, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 00000010.00000002.512572986.00000000035D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: payment receipt.pdf.exe PID: 5800, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 16.2.payment receipt.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment receipt.pdf.exe.3d4ea58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment receipt.pdf.exe.3d4ea58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.508971012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.339472229.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Yara detected AgentTesla
Source: Yara match File source: 16.2.payment receipt.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment receipt.pdf.exe.3d4ea58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.payment receipt.pdf.exe.3d4ea58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.508971012.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.512572986.00000000035D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.339472229.0000000003C31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: payment receipt.pdf.exe PID: 5800, type: MEMORY
Source: Yara match File source: Process Memory Space: payment receipt.pdf.exe PID: 5116, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452630 Sample: payment receipt.pdf.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 16 Found malware configuration 2->16 18 Multi AV Scanner detection for submitted file 2->18 20 Yara detected AgentTesla 2->20 22 10 other signatures 2->22 6 payment receipt.pdf.exe 3 2->6         started        process3 file4 14 C:\Users\user\...\payment receipt.pdf.exe.log, ASCII 6->14 dropped 24 Injects a PE file into a foreign processes 6->24 10 payment receipt.pdf.exe 2 6->10         started        12 payment receipt.pdf.exe 6->12         started        signatures5 process6
No contacted IP infos