Loading ...

Play interactive tourEdit tour

Windows Analysis Report Payment $67,765.exe

Overview

General Information

Sample Name:Payment $67,765.exe
Analysis ID:452732
MD5:eaf39a263bece3cbd0d6b70e22c12d8f
SHA1:6ca9713419a03c0d1ab3e7a17dc3256bae2acb59
SHA256:2bd20bf1f968993cf9f212761a86b1745abf4990ddcd5d5c553f456dcff3535f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Payment $67,765.exe (PID: 5348 cmdline: 'C:\Users\user\Desktop\Payment $67,765.exe' MD5: EAF39A263BECE3CBD0D6B70E22C12D8F)
    • Payment $67,765.exe (PID: 5856 cmdline: C:\Users\user\Desktop\Payment $67,765.exe MD5: EAF39A263BECE3CBD0D6B70E22C12D8F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "billions101@vivaldi.net", "Password": "Great#@#$12909()*&^", "Host": "smtp.vivaldi.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.Payment $67,765.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.2.Payment $67,765.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 8.2.Payment $67,765.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "billions101@vivaldi.net", "Password": "Great#@#$12909()*&^", "Host": "smtp.vivaldi.net"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: Payment $67,765.exeVirustotal: Detection: 45%Perma Link
                Source: Payment $67,765.exeReversingLabs: Detection: 21%
                Source: 8.2.Payment $67,765.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: Payment $67,765.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Payment $67,765.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: global trafficTCP traffic: 192.168.2.5:49693 -> 31.209.137.12:587
                Source: Joe Sandbox ViewIP Address: 31.209.137.12 31.209.137.12
                Source: global trafficTCP traffic: 192.168.2.5:49693 -> 31.209.137.12:587
                Source: unknownDNS traffic detected: queries for: smtp.vivaldi.net
                Source: Payment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: Payment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: Payment $67,765.exe, 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmp, Payment $67,765.exe, 00000008.00000002.777260147.000000000311E000.00000004.00000001.sdmp, Payment $67,765.exe, 00000008.00000002.777423502.000000000314A000.00000004.00000001.sdmpString found in binary or memory: http://a8LHbhswx7q.org
                Source: Payment $67,765.exe, 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmpString found in binary or memory: http://a8LHbhswx7q.orgL
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: Payment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://hPAZoH.com
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://smtp.vivaldi.net
                Source: Payment $67,765.exe, 00000000.00000003.254930224.000000000AEBE000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Payment $67,765.exe, 00000000.00000003.256726676.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.255066869.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com4
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma-dS
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                Source: Payment $67,765.exe, 00000000.00000003.255240091.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comts
                Source: Payment $67,765.exe, 00000000.00000003.263923698.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFE
                Source: Payment $67,765.exe, 00000000.00000003.258291871.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
                Source: Payment $67,765.exe, 00000000.00000003.263923698.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceom
                Source: Payment $67,765.exe, 00000000.00000003.258291871.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomk:
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: Payment $67,765.exe, 00000000.00000003.263923698.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                Source: Payment $67,765.exe, 00000000.00000003.258291871.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk:
                Source: Payment $67,765.exe, 00000000.00000003.263803047.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                Source: Payment $67,765.exe, 00000000.00000003.260190087.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                Source: Payment $67,765.exe, 00000000.00000003.252626944.000000000AECB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Payment $67,765.exe, 00000000.00000003.252588759.000000000AECB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
                Source: Payment $67,765.exe, 00000000.00000003.254384851.000000000AEBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Payment $67,765.exe, 00000000.00000003.254055192.000000000AEEE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                Source: Payment $67,765.exe, 00000000.00000003.254384851.000000000AEBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv
                Source: Payment $67,765.exe, 00000000.00000003.261516779.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Payment $67,765.exe, 00000000.00000003.256726676.000000000AEB9000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256348929.000000000AEB8000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.255912528.000000000AEB7000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256005482.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Payment $67,765.exe, 00000000.00000003.255912528.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-us
                Source: Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
                Source: Payment $67,765.exe, 00000000.00000003.255912528.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                Source: Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                Source: Payment $67,765.exe, 00000000.00000003.256348929.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-:
                Source: Payment $67,765.exe, 00000000.00000003.256005482.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ase
                Source: Payment $67,765.exe, 00000000.00000003.256726676.000000000AEB9000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256213901.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
                Source: Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/W
                Source: Payment $67,765.exe, 00000000.00000003.260659924.000000000AEBC000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.ec
                Source: Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-p
                Source: Payment $67,765.exe, 00000000.00000003.253673943.000000000AEED000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Payment $67,765.exe, 00000000.00000003.253673943.000000000AEED000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krk
                Source: Payment $67,765.exe, 00000000.00000003.254770138.00000000010FD000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Payment $67,765.exe, 00000000.00000003.254770138.00000000010FD000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coms
                Source: Payment $67,765.exe, 00000000.00000003.253391181.000000000AECB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comym
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: Payment $67,765.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: Payment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Payment $67,765.exe
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143E5788_2_0143E578
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143B7088_2_0143B708
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_014337A88_2_014337A8
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_014358688_2_01435868
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_01431C088_2_01431C08
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143C5408_2_0143C540
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143E9408_2_0143E940
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_014309D08_2_014309D0
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143C5E08_2_0143C5E0
                Source: Payment $67,765.exe, 00000000.00000000.247731508.0000000000712000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCountdownEve.exeJ vs Payment $67,765.exe
                Source: Payment $67,765.exeBinary or memory string: OriginalFilename vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000000.307335712.0000000000C32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCountdownEve.exeJ vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.774996920.00000000012F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamejCpMfYKTYLDoTeNAlSffzor.exe4 vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.780697434.0000000006060000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.775065575.0000000001440000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.773135228.0000000000DC8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment $67,765.exe
                Source: Payment $67,765.exeBinary or memory string: OriginalFilenameCountdownEve.exeJ vs Payment $67,765.exe
                Source: Payment $67,765.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Payment $67,765.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment $67,765.exe.logJump to behavior
                Source: Payment $67,765.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Payment $67,765.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Payment $67,765.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Payment $67,765.exeVirustotal: Detection: 45%
                Source: Payment $67,765.exeReversingLabs: Detection: 21%
                Source: unknownProcess created: C:\Users\user\Desktop\Payment $67,765.exe 'C:\Users\user\Desktop\Payment $67,765.exe'
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess created: C:\Users\user\Desktop\Payment $67,765.exe C:\Users\user\Desktop\Payment $67,765.exe
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess created: C:\Users\user\Desktop\Payment $67,765.exe C:\Users\user\Desktop\Payment $67,765.exeJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Payment $67,765.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Payment $67,765.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143E4C8 push eax; iretd 8_2_0143E571
                Source: initial sampleStatic PE information: section name: .text entropy: 7.78926933063
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_00404E53 sldt word ptr [eax]8_2_00404E53
                Source: C:\Users\user\Desktop\Payment $67,765.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeWindow / User API: threadDelayed 9716Jump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exe TID: 5356Thread sleep time: -54169s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exe TID: 5332Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exe TID: 408Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exe TID: 3488Thread sleep count: 140 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exe TID: 3488Thread sleep count: 9716 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Payment $67,765.exeThread delayed: delay time: 54169Jump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Payment $67,765.exe, 00000008.00000002.780697434.0000000006060000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Payment $67,765.exe, 00000008.00000002.780697434.0000000006060000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Payment $67,765.exe, 00000008.00000002.780697434.0000000006060000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Payment $67,765.exe, 00000008.00000002.781297719.00000000069B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Payment $67,765.exe, 00000008.00000002.780697434.0000000006060000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_01433518 LdrInitializeThunk,8_2_01433518
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\Payment $67,765.exeMemory written: C:\Users\user\Desktop\Payment $67,765.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess created: C:\Users\user\Desktop\Payment $67,765.exe C:\Users\user\Desktop\Payment $67,765.exeJump to behavior
                Source: Payment $67,765.exe, 00000008.00000002.775410156.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Payment $67,765.exe, 00000008.00000002.775410156.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Payment $67,765.exe, 00000008.00000002.775410156.00000000018B0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                Source: Payment $67,765.exe, 00000008.00000002.775410156.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                Source: Payment $67,765.exe, 00000008.00000002.775410156.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Users\user\Desktop\Payment $67,765.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation