Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Payment $67,765.exe

Overview

General Information

Sample Name:Payment $67,765.exe
Analysis ID:452732
MD5:eaf39a263bece3cbd0d6b70e22c12d8f
SHA1:6ca9713419a03c0d1ab3e7a17dc3256bae2acb59
SHA256:2bd20bf1f968993cf9f212761a86b1745abf4990ddcd5d5c553f456dcff3535f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Payment $67,765.exe (PID: 5348 cmdline: 'C:\Users\user\Desktop\Payment $67,765.exe' MD5: EAF39A263BECE3CBD0D6B70E22C12D8F)
    • Payment $67,765.exe (PID: 5856 cmdline: C:\Users\user\Desktop\Payment $67,765.exe MD5: EAF39A263BECE3CBD0D6B70E22C12D8F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "billions101@vivaldi.net", "Password": "Great#@#$12909()*&^", "Host": "smtp.vivaldi.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.Payment $67,765.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.2.Payment $67,765.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 8.2.Payment $67,765.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "billions101@vivaldi.net", "Password": "Great#@#$12909()*&^", "Host": "smtp.vivaldi.net"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: Payment $67,765.exeVirustotal: Detection: 45%Perma Link
                Source: Payment $67,765.exeReversingLabs: Detection: 21%
                Source: 8.2.Payment $67,765.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: Payment $67,765.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Payment $67,765.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: global trafficTCP traffic: 192.168.2.5:49693 -> 31.209.137.12:587
                Source: Joe Sandbox ViewIP Address: 31.209.137.12 31.209.137.12
                Source: global trafficTCP traffic: 192.168.2.5:49693 -> 31.209.137.12:587
                Source: unknownDNS traffic detected: queries for: smtp.vivaldi.net
                Source: Payment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: Payment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: Payment $67,765.exe, 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmp, Payment $67,765.exe, 00000008.00000002.777260147.000000000311E000.00000004.00000001.sdmp, Payment $67,765.exe, 00000008.00000002.777423502.000000000314A000.00000004.00000001.sdmpString found in binary or memory: http://a8LHbhswx7q.org
                Source: Payment $67,765.exe, 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmpString found in binary or memory: http://a8LHbhswx7q.orgL
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: Payment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: http://hPAZoH.com
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://smtp.vivaldi.net
                Source: Payment $67,765.exe, 00000000.00000003.254930224.000000000AEBE000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Payment $67,765.exe, 00000000.00000003.256726676.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.255066869.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com4
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma-dS
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                Source: Payment $67,765.exe, 00000000.00000003.255240091.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comts
                Source: Payment $67,765.exe, 00000000.00000003.263923698.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTFE
                Source: Payment $67,765.exe, 00000000.00000003.258291871.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
                Source: Payment $67,765.exe, 00000000.00000003.263923698.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceom
                Source: Payment $67,765.exe, 00000000.00000003.258291871.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomk:
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                Source: Payment $67,765.exe, 00000000.00000003.263923698.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
                Source: Payment $67,765.exe, 00000000.00000003.258291871.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
                Source: Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk:
                Source: Payment $67,765.exe, 00000000.00000003.263803047.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                Source: Payment $67,765.exe, 00000000.00000003.260190087.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                Source: Payment $67,765.exe, 00000000.00000003.252626944.000000000AECB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: Payment $67,765.exe, 00000000.00000003.252588759.000000000AECB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
                Source: Payment $67,765.exe, 00000000.00000003.254384851.000000000AEBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Payment $67,765.exe, 00000000.00000003.254055192.000000000AEEE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                Source: Payment $67,765.exe, 00000000.00000003.254384851.000000000AEBB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnv
                Source: Payment $67,765.exe, 00000000.00000003.261516779.000000000AEB9000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Payment $67,765.exe, 00000000.00000003.256726676.000000000AEB9000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256348929.000000000AEB8000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.255912528.000000000AEB7000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256005482.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Payment $67,765.exe, 00000000.00000003.255912528.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-us
                Source: Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
                Source: Payment $67,765.exe, 00000000.00000003.255912528.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                Source: Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                Source: Payment $67,765.exe, 00000000.00000003.256348929.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-:
                Source: Payment $67,765.exe, 00000000.00000003.256005482.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ase
                Source: Payment $67,765.exe, 00000000.00000003.256726676.000000000AEB9000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256213901.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
                Source: Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/W
                Source: Payment $67,765.exe, 00000000.00000003.260659924.000000000AEBC000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.ec
                Source: Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com-p
                Source: Payment $67,765.exe, 00000000.00000003.253673943.000000000AEED000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Payment $67,765.exe, 00000000.00000003.253673943.000000000AEED000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krk
                Source: Payment $67,765.exe, 00000000.00000003.254770138.00000000010FD000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: Payment $67,765.exe, 00000000.00000003.254770138.00000000010FD000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coms
                Source: Payment $67,765.exe, 00000000.00000003.253391181.000000000AECB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comym
                Source: Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: Payment $67,765.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: Payment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: Payment $67,765.exe
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143E578
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143B708
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_014337A8
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_01435868
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_01431C08
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143C540
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143E940
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_014309D0
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143C5E0
                Source: Payment $67,765.exe, 00000000.00000000.247731508.0000000000712000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCountdownEve.exeJ vs Payment $67,765.exe
                Source: Payment $67,765.exeBinary or memory string: OriginalFilename vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000000.307335712.0000000000C32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCountdownEve.exeJ vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.774996920.00000000012F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamejCpMfYKTYLDoTeNAlSffzor.exe4 vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.780697434.0000000006060000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.775065575.0000000001440000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.773135228.0000000000DC8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment $67,765.exe
                Source: Payment $67,765.exeBinary or memory string: OriginalFilenameCountdownEve.exeJ vs Payment $67,765.exe
                Source: Payment $67,765.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: Payment $67,765.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@1/1
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment $67,765.exe.logJump to behavior
                Source: Payment $67,765.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Payment $67,765.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\Payment $67,765.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Payment $67,765.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Payment $67,765.exeVirustotal: Detection: 45%
                Source: Payment $67,765.exeReversingLabs: Detection: 21%
                Source: unknownProcess created: C:\Users\user\Desktop\Payment $67,765.exe 'C:\Users\user\Desktop\Payment $67,765.exe'
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess created: C:\Users\user\Desktop\Payment $67,765.exe C:\Users\user\Desktop\Payment $67,765.exe
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess created: C:\Users\user\Desktop\Payment $67,765.exe C:\Users\user\Desktop\Payment $67,765.exe
                Source: C:\Users\user\Desktop\Payment $67,765.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\Payment $67,765.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Payment $67,765.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Payment $67,765.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_0143E4C8 push eax; iretd
                Source: initial sampleStatic PE information: section name: .text entropy: 7.78926933063
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_00404E53 sldt word ptr [eax]
                Source: C:\Users\user\Desktop\Payment $67,765.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Payment $67,765.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Payment $67,765.exeWindow / User API: threadDelayed 9716
                Source: C:\Users\user\Desktop\Payment $67,765.exe TID: 5356Thread sleep time: -54169s >= -30000s
                Source: C:\Users\user\Desktop\Payment $67,765.exe TID: 5332Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\Payment $67,765.exe TID: 408Thread sleep time: -14757395258967632s >= -30000s
                Source: C:\Users\user\Desktop\Payment $67,765.exe TID: 3488Thread sleep count: 140 > 30
                Source: C:\Users\user\Desktop\Payment $67,765.exe TID: 3488Thread sleep count: 9716 > 30
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Payment $67,765.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Payment $67,765.exeThread delayed: delay time: 54169
                Source: C:\Users\user\Desktop\Payment $67,765.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\Payment $67,765.exeThread delayed: delay time: 922337203685477
                Source: Payment $67,765.exe, 00000008.00000002.780697434.0000000006060000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: Payment $67,765.exe, 00000008.00000002.780697434.0000000006060000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: Payment $67,765.exe, 00000008.00000002.780697434.0000000006060000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: Payment $67,765.exe, 00000008.00000002.781297719.00000000069B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Payment $67,765.exe, 00000008.00000002.780697434.0000000006060000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeCode function: 8_2_01433518 LdrInitializeThunk,
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\Payment $67,765.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\Payment $67,765.exeMemory written: C:\Users\user\Desktop\Payment $67,765.exe base: 400000 value starts with: 4D5A
                Source: C:\Users\user\Desktop\Payment $67,765.exeProcess created: C:\Users\user\Desktop\Payment $67,765.exe C:\Users\user\Desktop\Payment $67,765.exe
                Source: Payment $67,765.exe, 00000008.00000002.775410156.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Payment $67,765.exe, 00000008.00000002.775410156.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Payment $67,765.exe, 00000008.00000002.775410156.00000000018B0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                Source: Payment $67,765.exe, 00000008.00000002.775410156.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                Source: Payment $67,765.exe, 00000008.00000002.775410156.00000000018B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Users\user\Desktop\Payment $67,765.exe VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Users\user\Desktop\Payment $67,765.exe VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\Payment $67,765.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 8.2.Payment $67,765.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 8.2.Payment $67,765.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\Payment $67,765.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\Payment $67,765.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\Payment $67,765.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\Payment $67,765.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 8.2.Payment $67,765.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 8.2.Payment $67,765.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Security Software Discovery111Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Process Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion141Security Account ManagerVirtualization/Sandbox Evasion141SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Payment $67,765.exe46%VirustotalBrowse
                Payment $67,765.exe17%MetadefenderBrowse
                Payment $67,765.exe22%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                8.2.Payment $67,765.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.carterandcone.comn-u0%URL Reputationsafe
                http://www.carterandcone.comn-u0%URL Reputationsafe
                http://www.carterandcone.comn-u0%URL Reputationsafe
                http://www.carterandcone.comn-u0%URL Reputationsafe
                http://www.fontbureau.comceom0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/ase0%Avira URL Cloudsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                http://www.carterandcone.com40%Avira URL Cloudsafe
                http://www.fontbureau.comessed0%URL Reputationsafe
                http://www.fontbureau.comessed0%URL Reputationsafe
                http://www.fontbureau.comessed0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://www.carterandcone.com0%URL Reputationsafe
                http://hPAZoH.com0%Avira URL Cloudsafe
                http://a8LHbhswx7q.orgL0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/:0%Avira URL Cloudsafe
                http://r3.i.lencr.org/00%URL Reputationsafe
                http://r3.i.lencr.org/00%URL Reputationsafe
                http://r3.i.lencr.org/00%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                http://www.fontbureau.comk:0%Avira URL Cloudsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://www.fonts.comic0%URL Reputationsafe
                http://www.fonts.comic0%URL Reputationsafe
                http://www.fonts.comic0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
                http://www.carterandcone.comC0%URL Reputationsafe
                http://www.carterandcone.comC0%URL Reputationsafe
                http://www.carterandcone.comC0%URL Reputationsafe
                http://www.founder.com.cn/cnv0%Avira URL Cloudsafe
                http://www.carterandcone.coma-dS0%Avira URL Cloudsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.c.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://x1.i.lencr.org/00%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://r3.o.lencr.org00%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/Y0-:0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/W0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://www.monotype.ec0%Avira URL Cloudsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                http://www.founder.com.cn/cnd0%URL Reputationsafe
                http://www.founder.com.cn/cnd0%URL Reputationsafe
                http://www.founder.com.cn/cnd0%URL Reputationsafe
                http://www.fontbureau.comcomk:0%Avira URL Cloudsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://www.fontbureau.comF0%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://www.tiro.coms0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://www.carterandcone.comTC0%URL Reputationsafe
                http://www.carterandcone.comTC0%URL Reputationsafe
                http://www.carterandcone.comTC0%URL Reputationsafe
                http://www.sandoll.co.krk0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/E0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/E0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/E0%URL Reputationsafe
                http://a8LHbhswx7q.org0%Avira URL Cloudsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                http://www.carterandcone.comts0%Avira URL Cloudsafe
                http://www.fontbureau.comd0%URL Reputationsafe
                http://www.fontbureau.comd0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                smtp.vivaldi.net
                		31.209.137.12
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://127.0.0.1:HTTP/1.1Payment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.carterandcone.comn-uPayment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.comceomPayment $67,765.exe, 00000000.00000003.263923698.000000000AEB8000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/asePayment $67,765.exe, 00000000.00000003.256005482.000000000AEB7000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.tiro.comPayment $67,765.exe, 00000000.00000003.254770138.00000000010FD000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://smtp.vivaldi.netPayment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designersPayment $67,765.exe, 00000000.00000003.258291871.000000000AEB7000.00000004.00000001.sdmpfalse
                      		high
                      http://www.carterandcone.com4Payment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comessedPayment $67,765.exe, 00000000.00000003.258291871.000000000AEB7000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comPayment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.255066869.000000000AEB7000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://hPAZoH.comPayment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://a8LHbhswx7q.orgLPayment $67,765.exe, 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/jp/:Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://r3.i.lencr.org/0Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/:Payment $67,765.exe, 00000000.00000003.255912528.000000000AEB7000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comk:Payment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmPayment $67,765.exe, 00000000.00000003.261516779.000000000AEB9000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.comicPayment $67,765.exe, 00000000.00000003.252588759.000000000AECB000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/3Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comCPayment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnvPayment $67,765.exe, 00000000.00000003.254384851.000000000AEBB000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.coma-dSPayment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://x1.c.lencr.org/0Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://x1.i.lencr.org/0Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://r3.o.lencr.org0Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.ascendercorp.com/typedesigners.htmlPayment $67,765.exe, 00000000.00000003.256726676.000000000AEB9000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.comPayment $67,765.exe, 00000000.00000003.252626944.000000000AECB000.00000004.00000001.sdmpfalse
                        		high
                        http://www.sandoll.co.krPayment $67,765.exe, 00000000.00000003.253673943.000000000AEED000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnPayment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/Y0-:Payment $67,765.exe, 00000000.00000003.256348929.000000000AEB8000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/WPayment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipPayment $67,765.exefalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.monotype.ecPayment $67,765.exe, 00000000.00000003.260659924.000000000AEBC000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://cps.root-x1.letsencrypt.org0Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cndPayment $67,765.exe, 00000000.00000003.254055192.000000000AEEE000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comcomk:Payment $67,765.exe, 00000000.00000003.258291871.000000000AEB7000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0Payment $67,765.exe, 00000000.00000003.254930224.000000000AEBE000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comPayment $67,765.exe, 00000000.00000003.263923698.000000000AEB8000.00000004.00000001.sdmpfalse
                            		high
                            http://DynDns.comDynDNSPayment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comFPayment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://cps.letsencrypt.org0Payment $67,765.exe, 00000008.00000002.777336121.0000000003128000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.tiro.comsPayment $67,765.exe, 00000000.00000003.254770138.00000000010FD000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haPayment $67,765.exe, 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comTCPayment $67,765.exe, 00000000.00000003.255172894.000000000AEB8000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sandoll.co.krkPayment $67,765.exe, 00000000.00000003.253673943.000000000AEED000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/EPayment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://a8LHbhswx7q.orgPayment $67,765.exe, 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmp, Payment $67,765.exe, 00000008.00000002.777260147.000000000311E000.00000004.00000001.sdmp, Payment $67,765.exe, 00000008.00000002.777423502.000000000314A000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/Payment $67,765.exe, 00000000.00000003.256726676.000000000AEB9000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256213901.000000000AEB7000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comtsPayment $67,765.exe, 00000000.00000003.255240091.000000000AEB8000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comdPayment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.come.comPayment $67,765.exe, 00000000.00000003.263923698.000000000AEB8000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com.TTFEPayment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sakkal.com-pPayment $67,765.exe, 00000000.00000003.256581600.000000000AEB7000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cnPayment $67,765.exe, 00000000.00000003.254384851.000000000AEBB000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/-usPayment $67,765.exe, 00000000.00000003.255912528.000000000AEB7000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comtPayment $67,765.exe, 00000000.00000003.260190087.000000000AEB9000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.commPayment $67,765.exe, 00000000.00000003.263803047.000000000AEB8000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/Payment $67,765.exe, 00000000.00000003.256726676.000000000AEB9000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256348929.000000000AEB8000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.255912528.000000000AEB7000.00000004.00000001.sdmp, Payment $67,765.exe, 00000000.00000003.256005482.000000000AEB7000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.tiro.comymPayment $67,765.exe, 00000000.00000003.253391181.000000000AECB000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comalsPayment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comalicPayment $67,765.exe, 00000000.00000003.259805936.000000000AEB9000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            31.209.137.12
                            		smtp.vivaldi.netIceland
                            		51896HRINGDU-ASISfalse

                            General Information

                            Joe Sandbox Version:33.0.0 White Diamond
                            Analysis ID:452732
                            Start date:22.07.2021
                            Start time:19:11:25
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 12m 3s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:Payment $67,765.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:14
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/1@1/1
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 15.1% (good quality ratio 11.6%)
                            • Quality average: 49.9%
                            • Quality standard deviation: 32.8%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240s for sample files taking high CPU consumption
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                            • Excluded IPs from analysis (whitelisted): 104.42.151.234, 204.79.197.200, 13.107.21.200, 93.184.220.29, 52.255.188.83, 23.35.236.56
                            • Excluded domains from analysis (whitelisted): www.bing.com, cs9.wac.phicdn.net, fs.microsoft.com, dual-a-0001.a-msedge.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, ocsp.digicert.com, blobcollector.events.data.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus16.cloudapp.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            19:12:54API Interceptor1524x Sleep call for process: Payment $67,765.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            31.209.137.12SecuriteInfo.com.W32.MSIL_Agent.CAC.genEldorado.5417.exeGet hashmaliciousBrowse
                              DHL SHIPPING INVOICE.pdf.exeGet hashmaliciousBrowse
                                URGENT REQUEST FOR QUOTATION.pdf.exeGet hashmaliciousBrowse
                                  RE Outstanding SOA Settled.exeGet hashmaliciousBrowse
                                    Swift Copy.exeGet hashmaliciousBrowse
                                      Swift Copy.exeGet hashmaliciousBrowse
                                        9872362-1926.exeGet hashmaliciousBrowse
                                          invoice.exeGet hashmaliciousBrowse
                                            Order.exeGet hashmaliciousBrowse
                                              SecuriteInfo.com.Artemis960D9DB7F7C9.7109.exeGet hashmaliciousBrowse
                                                PREPAYMENT.exeGet hashmaliciousBrowse
                                                  SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                    quo 4542.exeGet hashmaliciousBrowse
                                                      SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                        Swift TT copy.exeGet hashmaliciousBrowse
                                                          SecuriteInfo.com.ArtemisA47F39CCDFEA.14562.exeGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Variant.Bulz.495766.21629.exeGet hashmaliciousBrowse
                                                              COMMERCIAL INVOICE.exeGet hashmaliciousBrowse
                                                                Scan 07.07.2021# 99147.exeGet hashmaliciousBrowse
                                                                  Quotes 04.06.2021.exeGet hashmaliciousBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    smtp.vivaldi.netSecuriteInfo.com.W32.MSIL_Agent.CAC.genEldorado.5417.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    DHL SHIPPING INVOICE.pdf.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    URGENT REQUEST FOR QUOTATION.pdf.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    RE Outstanding SOA Settled.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Swift Copy.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Swift Copy.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    9872362-1926.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    invoice.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Order.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    SecuriteInfo.com.Artemis960D9DB7F7C9.7109.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    PREPAYMENT.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    quo 4542.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Swift TT copy.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    SecuriteInfo.com.ArtemisA47F39CCDFEA.14562.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    SecuriteInfo.com.Variant.Bulz.495766.21629.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    COMMERCIAL INVOICE.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Scan 07.07.2021# 99147.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Quotes 04.06.2021.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    HRINGDU-ASISSecuriteInfo.com.W32.MSIL_Agent.CAC.genEldorado.5417.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    DHL SHIPPING INVOICE.pdf.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    URGENT REQUEST FOR QUOTATION.pdf.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    RE Outstanding SOA Settled.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Swift Copy.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Swift Copy.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    9872362-1926.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    invoice.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Order.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    SecuriteInfo.com.Artemis960D9DB7F7C9.7109.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    PREPAYMENT.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    quo 4542.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Swift TT copy.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    SecuriteInfo.com.ArtemisA47F39CCDFEA.14562.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    SecuriteInfo.com.Variant.Bulz.495766.21629.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    COMMERCIAL INVOICE.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Scan 07.07.2021# 99147.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12
                                                                    Quotes 04.06.2021.exeGet hashmaliciousBrowse
                                                                    • 31.209.137.12

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment $67,765.exe.log
                                                                    Process:C:\Users\user\Desktop\Payment $67,765.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1216
                                                                    Entropy (8bit):5.355304211458859
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                    MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                    SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                    SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                    SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                    Malicious:true
                                                                    Reputation:high, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.779950459380049
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:Payment $67,765.exe
                                                                    File size:784896
                                                                    MD5:eaf39a263bece3cbd0d6b70e22c12d8f
                                                                    SHA1:6ca9713419a03c0d1ab3e7a17dc3256bae2acb59
                                                                    SHA256:2bd20bf1f968993cf9f212761a86b1745abf4990ddcd5d5c553f456dcff3535f
                                                                    SHA512:3d9802404d26a7033a10e319d4bf99c8b63b931d5980c5176d4f0fbe35904b506e14f4b3b4d6f0b71560429389a28f70788cb83f7da01da5ac0938f90cc96d99
                                                                    SSDEEP:12288:CYtMBhsEtFHuGMaaEowPYqafsjTa2lQQqgum9HRPNk36p8MJTcdB2QnUfxEVO7/W:HMBztMa1ow8fsjTVxjP/EnMo
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P.................. ... ....@.. .......................`............@................................

                                                                    File Icon

                                                                    Icon Hash:00828e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4c0c0e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x60F88385 [Wed Jul 21 20:28:53 2021 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc0bb40x57.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x640.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xbec140xbee00False0.870332709152SysEx File - Voyce7.78926933063IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xc20000x6400x800False0.34521484375data3.51813378508IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xc40000xc0x200False0.041015625data0.0776331623432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_VERSION0xc20a00x3b4data
                                                                    RT_MANIFEST0xc24540x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightCopyright 2014
                                                                    Assembly Version2.1.0.0
                                                                    InternalNameCountdownEve.exe
                                                                    FileVersion2.1.0.0
                                                                    CompanyNameCanon Viet Nam
                                                                    LegalTrademarks
                                                                    CommentsLibrary for AGV control system
                                                                    ProductNameControlSystemLibrary
                                                                    ProductVersion2.1.0.0
                                                                    FileDescriptionControlSystemLibrary
                                                                    OriginalFilenameCountdownEve.exe

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jul 22, 2021 19:14:34.157295942 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:34.244965076 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:34.245240927 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:34.713717937 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:34.714492083 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:34.805103064 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:34.805233955 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:34.805751085 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:34.893631935 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:34.948091030 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:35.010996103 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:35.099308968 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:35.099344015 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:35.099364042 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:35.099380016 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:35.099464893 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:35.188544989 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:35.201056004 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:35.290427923 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:35.338676929 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:35.648452997 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:35.738795042 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:35.740365028 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:35.829055071 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:35.830506086 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:35.960722923 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.010715961 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.011990070 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:36.099361897 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.100886106 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.101532936 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:36.225506067 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.226166964 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:36.316737890 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.319535971 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:36.319756031 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:36.320656061 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:36.320835114 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:14:36.409794092 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.409820080 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.409833908 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.409847021 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.429541111 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:14:36.479460001 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:16:13.919110060 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:16:14.010315895 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:16:14.051085949 CEST49693587192.168.2.531.209.137.12
                                                                    Jul 22, 2021 19:16:14.141836882 CEST5874969331.209.137.12192.168.2.5
                                                                    Jul 22, 2021 19:16:14.150490999 CEST49693587192.168.2.531.209.137.12

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jul 22, 2021 19:12:19.539072990 CEST5318353192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:19.589330912 CEST53531838.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:12:20.682162046 CEST5758753192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:20.739691973 CEST53575878.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:12:20.853229046 CEST5543253192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:20.903579950 CEST53554328.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:12:21.069013119 CEST6493653192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:21.134617090 CEST53649368.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:12:22.262597084 CEST5270453192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:22.319380999 CEST53527048.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:12:23.416018009 CEST5221253192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:23.465687990 CEST53522128.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:12:24.248943090 CEST5430253192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:24.309859037 CEST53543028.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:12:25.098225117 CEST5378453192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:25.150954962 CEST53537848.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:12:26.440823078 CEST6530753192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:26.490282059 CEST53653078.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:12:27.679402113 CEST6434453192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:27.728403091 CEST53643448.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:12:35.511997938 CEST6206053192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:12:35.592952013 CEST53620608.8.8.8192.168.2.5
                                                                    Jul 22, 2021 19:14:33.924093008 CEST6180553192.168.2.58.8.8.8
                                                                    Jul 22, 2021 19:14:33.983745098 CEST53618058.8.8.8192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Jul 22, 2021 19:14:33.924093008 CEST192.168.2.58.8.8.80x7d30Standard query (0)smtp.vivaldi.netA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Jul 22, 2021 19:14:33.983745098 CEST8.8.8.8192.168.2.50x7d30No error (0)smtp.vivaldi.net31.209.137.12A (IP address)IN (0x0001)

                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Jul 22, 2021 19:14:34.713717937 CEST5874969331.209.137.12192.168.2.5220 smtp.vivaldi.net ESMTP Postfix (Ubuntu)
                                                                    Jul 22, 2021 19:14:34.714492083 CEST49693587192.168.2.531.209.137.12EHLO 928100
                                                                    Jul 22, 2021 19:14:34.805233955 CEST5874969331.209.137.12192.168.2.5250-smtp.vivaldi.net
                                                                    250-PIPELINING
                                                                    250-SIZE 36700160
                                                                    250-ETRN
                                                                    250-STARTTLS
                                                                    250-ENHANCEDSTATUSCODES
                                                                    250-8BITMIME
                                                                    250-DSN
                                                                    250 SMTPUTF8
                                                                    Jul 22, 2021 19:14:34.805751085 CEST49693587192.168.2.531.209.137.12STARTTLS
                                                                    Jul 22, 2021 19:14:34.893631935 CEST5874969331.209.137.12192.168.2.5220 2.0.0 Ready to start TLS

                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: Payment $67,765.exe PID: 5348 Parent PID: 5512

                                                                    General

                                                                    Start time:19:12:27
                                                                    Start date:22/07/2021
                                                                    Path:C:\Users\user\Desktop\Payment $67,765.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\Payment $67,765.exe'
                                                                    Imagebase:0x650000
                                                                    File size:784896 bytes
                                                                    MD5 hash:EAF39A263BECE3CBD0D6B70E22C12D8F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:low

                                                                    Analysis Process: Payment $67,765.exe PID: 5856 Parent PID: 5348

                                                                    General

                                                                    Start time:19:12:55
                                                                    Start date:22/07/2021
                                                                    Path:C:\Users\user\Desktop\Payment $67,765.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\Payment $67,765.exe
                                                                    Imagebase:0x7ff797770000
                                                                    File size:784896 bytes
                                                                    MD5 hash:EAF39A263BECE3CBD0D6B70E22C12D8F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.772368800.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.776979004.0000000003098000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.776594989.0000000002FF1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >