Windows Analysis Report Payment Slip.exe

Overview

General Information

Sample Name: Payment Slip.exe
Analysis ID: 491436
MD5: 3d0d9c87ea732caf417afa0b8af62267
SHA1: dfb1e57a9cf498310cb7287f4b5792cbcd8b3974
SHA256: 95b6ba2be30399f87d20e021bee29f0eb46773b67407f3ed9987d22610d5249d
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.782630909.0000000001760000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.yuumgo.academy/qfff/"], "decoy": ["lakechelanwedding.com", "jengly.com", "alluresme.com", "axswallet.com", "meetmedubai.com", "kortzfamily.com", "whishfullittles.com", "mts-consultant.com", "amhoses.com", "hdaz2.xyz", "lkgsbx.com", "b0ay.com", "hlthits.com", "dicsordgift.com", "bearaconnect.com", "strategicpropertyventures.com", "158393097102.xyz", "officesetupofficesetup.com", "industrynewz.com", "uperionorthamerica.com", "bucksmobilenotary.com", "clangadget.com", "jolix123.com", "jch.computer", "suddennnnnnnnnnnn43.xyz", "binbin-ads.com", "yshowmedia.com", "studentpair.com", "switchsmartcloud.com", "vywubey.xyz", "timdixonpreferredadvisors.com", "sturlabas.com", "kisskissfallinlove.com", "ivyrtp.com", "agohmarket.com", "spiritair-tickets.com", "savon-el.com", "paccarfinanical.com", "appios.xyz", "auxilvascular.com", "takesatisfy.club", "noframespanishfly.com", "nordesmarcom.com", "hbportalweb.online", "adhdwhatelse.com", "reparamospc.com", "footballrun.online", "mygreatsport.com", "onloe.com", "wargasarawak.com", "bhagwatiretail.com", "00333v.com", "relativewifi.com", "transferarea.com", "abodhakujena.com", "covidworld.info", "hetuart.com", "legacytailors.com", "inafukutest.com", "tiplovellc.com", "fruit-joy.com", "bnzvb.com", "calaverascoffee.com", "interweavelife.com"]}
Yara detected FormBook
Source: Yara match File source: 5.2.Payment Slip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Payment Slip.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.782630909.0000000001760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.934465123.0000000003320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.782784962.0000000001790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.734770163.000000000DA63000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.933954904.0000000001100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.778404636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.757013579.000000000DA63000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.934788453.0000000004FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.709746313.0000000003601000.00000004.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.Payment Slip.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Payment Slip.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Payment Slip.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cscript.pdbUGP source: Payment Slip.exe, 00000005.00000002.785702615.00000000018A0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: Payment Slip.exe, 00000005.00000002.785791059.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000D.00000002.934852520.0000000005120000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Payment Slip.exe, 00000005.00000002.785791059.0000000001960000.00000040.00000001.sdmp, cscript.exe
Source: Binary string: cscript.pdb source: Payment Slip.exe, 00000005.00000002.785702615.00000000018A0000.00000040.00020000.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 45.39.212.49:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 45.39.212.49:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49814 -> 45.39.212.49:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 45.207.75.185 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.b0ay.com
Source: C:\Windows\explorer.exe Network Connect: 75.102.22.71 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.00333v.com
Source: C:\Windows\explorer.exe Domain query: www.interweavelife.com
Source: C:\Windows\explorer.exe Domain query: www.yuumgo.academy
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.axswallet.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.39.212.49 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.yuumgo.academy/qfff/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /qfff/?zVsX=A0Gd4dmxD4WpN&h0Dpm=EtMhOrO65XWqZe1V/yWpI1DgXrgEJw48YTYdNBZuHNrU3gzc/ZcPLe5HxHKJImHY7C2C HTTP/1.1Host: www.00333v.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /qfff/?zVsX=A0Gd4dmxD4WpN&h0Dpm=iDjkn8VHWDd5B+WgyzOmaYrOSSt87z3Zq6ekoRCiL96i4fBr+80owih/KVqhv8s04Bt0 HTTP/1.1Host: www.yuumgo.academyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /qfff/?h0Dpm=0w7wS7Gxy1y5PVkYFF5lNTBCNhhGoi1bMCJY/cwIOuW+ZMKS9RSTzNeIK/4fDqykK2MY&zVsX=A0Gd4dmxD4WpN HTTP/1.1Host: www.b0ay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /qfff/?zVsX=A0Gd4dmxD4WpN&h0Dpm=WUvvsVcot/hHbudm+hsx8n+3xo5kp+HgCKvLXtoOkn7qJe0B64lU7/LdjKxnrj37XfZ9 HTTP/1.1Host: www.axswallet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /qfff/?h0Dpm=vpb6mGWiOxgVIXv3RY5+KwgpuQ4maEKqCh4MrndOejQXnr3fUcd6GXEqF18QrWYsNfL0&zVsX=A0Gd4dmxD4WpN HTTP/1.1Host: www.interweavelife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.211 198.54.117.211
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: Payment Slip.exe, 00000000.00000002.708859665.0000000002601000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment Slip.exe String found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment Slip.exe, 00000000.00000002.712015304.00000000065E2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: www.00333v.com
Source: global traffic HTTP traffic detected: GET /qfff/?zVsX=A0Gd4dmxD4WpN&h0Dpm=EtMhOrO65XWqZe1V/yWpI1DgXrgEJw48YTYdNBZuHNrU3gzc/ZcPLe5HxHKJImHY7C2C HTTP/1.1Host: www.00333v.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /qfff/?zVsX=A0Gd4dmxD4WpN&h0Dpm=iDjkn8VHWDd5B+WgyzOmaYrOSSt87z3Zq6ekoRCiL96i4fBr+80owih/KVqhv8s04Bt0 HTTP/1.1Host: www.yuumgo.academyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /qfff/?h0Dpm=0w7wS7Gxy1y5PVkYFF5lNTBCNhhGoi1bMCJY/cwIOuW+ZMKS9RSTzNeIK/4fDqykK2MY&zVsX=A0Gd4dmxD4WpN HTTP/1.1Host: www.b0ay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /qfff/?zVsX=A0Gd4dmxD4WpN&h0Dpm=WUvvsVcot/hHbudm+hsx8n+3xo5kp+HgCKvLXtoOkn7qJe0B64lU7/LdjKxnrj37XfZ9 HTTP/1.1Host: www.axswallet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /qfff/?h0Dpm=vpb6mGWiOxgVIXv3RY5+KwgpuQ4maEKqCh4MrndOejQXnr3fUcd6GXEqF18QrWYsNfL0&zVsX=A0Gd4dmxD4WpN HTTP/1.1Host: www.interweavelife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.Payment Slip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Payment Slip.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.782630909.0000000001760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.934465123.0000000003320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.782784962.0000000001790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.734770163.000000000DA63000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.933954904.0000000001100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.778404636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.757013579.000000000DA63000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.934788453.0000000004FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.709746313.0000000003601000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.Payment Slip.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Payment Slip.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.Payment Slip.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.Payment Slip.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.782630909.0000000001760000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.782630909.0000000001760000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.934465123.0000000003320000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.934465123.0000000003320000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.782784962.0000000001790000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.782784962.0000000001790000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.734770163.000000000DA63000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.734770163.000000000DA63000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.933954904.0000000001100000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.933954904.0000000001100000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.778404636.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.778404636.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.757013579.000000000DA63000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.757013579.000000000DA63000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.934788453.0000000004FD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.934788453.0000000004FD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.709746313.0000000003601000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.709746313.0000000003601000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment Slip.exe
.NET source code contains very large strings
Source: Payment Slip.exe, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 0.0.Payment Slip.exe.190000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 0.2.Payment Slip.exe.190000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 4.0.Payment Slip.exe.350000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Source: 4.2.Payment Slip.exe.350000.0.unpack, Darwin.WindowsForm/SearchResults.cs Long String: Length: 34816
Uses 32bit PE files
Source: Payment Slip.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 5.2.Payment Slip.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Payment Slip.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.Payment Slip.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.Payment Slip.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.782630909.0000000001760000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.782630909.0000000001760000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.934465123.0000000003320000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.934465123.0000000003320000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.782784962.0000000001790000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.782784962.0000000001790000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.734770163.000000000DA63000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.734770163.000000000DA63000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.933954904.0000000001100000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.933954904.0000000001100000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.778404636.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.778404636.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.757013579.000000000DA63000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.757013579.000000000DA63000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.934788453.0000000004FD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.934788453.0000000004FD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.709746313.0000000003601000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.709746313.0000000003601000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF67D8 0_2_06CF67D8
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF67C8 0_2_06CF67C8
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF5CC8 0_2_06CF5CC8
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_00197447 0_2_00197447
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 4_2_00357447 4_2_00357447
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_0041C147 5_2_0041C147
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_0041BBF1 5_2_0041BBF1
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_0041CB81 5_2_0041CB81
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_00408C70 5_2_00408C70
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_00402D87 5_2_00402D87
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_00D07447 5_2_00D07447
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514F900 13_2_0514F900
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05140D20 13_2_05140D20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05164120 13_2_05164120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05211D55 13_2_05211D55
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05172581 13_2_05172581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515D5E0 13_2_0515D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515841F 13_2_0515841F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201002 13_2_05201002
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515B090 13_2_0515B090
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517EBB0 13_2_0517EBB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05166E30 13_2_05166E30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0111C147 13_2_0111C147
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0111CB81 13_2_0111CB81
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0111BBF1 13_2_0111BBF1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_01102D90 13_2_01102D90
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_01102D87 13_2_01102D87
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_01108C70 13_2_01108C70
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_01102FB0 13_2_01102FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cscript.exe Code function: String function: 0514B150 appears 32 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_004185B0 NtCreateFile, 5_2_004185B0
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_00418660 NtReadFile, 5_2_00418660
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_004186E0 NtClose, 5_2_004186E0
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_00418790 NtAllocateVirtualMemory, 5_2_00418790
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_004185AC NtCreateFile, 5_2_004185AC
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_0041865A NtReadFile, 5_2_0041865A
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_004186DA NtClose, 5_2_004186DA
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_0041870A NtReadFile, 5_2_0041870A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_05189910
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189540 NtReadFile,LdrInitializeThunk, 13_2_05189540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051899A0 NtCreateSection,LdrInitializeThunk, 13_2_051899A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051895D0 NtClose,LdrInitializeThunk, 13_2_051895D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189840 NtDelayExecution,LdrInitializeThunk, 13_2_05189840
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_05189860
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189710 NtQueryInformationToken,LdrInitializeThunk, 13_2_05189710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189780 NtMapViewOfSection,LdrInitializeThunk, 13_2_05189780
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189FE0 NtCreateMutant,LdrInitializeThunk, 13_2_05189FE0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189650 NtQueryValueKey,LdrInitializeThunk, 13_2_05189650
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189A50 NtCreateFile,LdrInitializeThunk, 13_2_05189A50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189660 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_05189660
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051896D0 NtCreateKey,LdrInitializeThunk, 13_2_051896D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051896E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_051896E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0518AD30 NtSetContextThread, 13_2_0518AD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189520 NtWaitForSingleObject, 13_2_05189520
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189950 NtQueueApcThread, 13_2_05189950
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189560 NtWriteFile, 13_2_05189560
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051899D0 NtCreateProcessEx, 13_2_051899D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051895F0 NtQueryInformationFile, 13_2_051895F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189820 NtEnumerateKey, 13_2_05189820
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0518B040 NtSuspendThread, 13_2_0518B040
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051898A0 NtWriteVirtualMemory, 13_2_051898A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051898F0 NtReadVirtualMemory, 13_2_051898F0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0518A710 NtOpenProcessToken, 13_2_0518A710
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189B00 NtSetValueKey, 13_2_05189B00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189730 NtQueryVirtualMemory, 13_2_05189730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189770 NtSetInformationFile, 13_2_05189770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0518A770 NtOpenThread, 13_2_0518A770
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189760 NtOpenProcess, 13_2_05189760
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0518A3B0 NtGetContextThread, 13_2_0518A3B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051897A0 NtUnmapViewOfSection, 13_2_051897A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189610 NtEnumerateValueKey, 13_2_05189610
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189A10 NtQuerySection, 13_2_05189A10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189A00 NtProtectVirtualMemory, 13_2_05189A00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189A20 NtResumeThread, 13_2_05189A20
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189670 NtQueryInformationProcess, 13_2_05189670
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05189A80 NtOpenDirectoryObject, 13_2_05189A80
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_011185B0 NtCreateFile, 13_2_011185B0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_01118790 NtAllocateVirtualMemory, 13_2_01118790
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_01118660 NtReadFile, 13_2_01118660
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_011186E0 NtClose, 13_2_011186E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_011185AC NtCreateFile, 13_2_011185AC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0111870A NtReadFile, 13_2_0111870A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0111865A NtReadFile, 13_2_0111865A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_011186DA NtClose, 13_2_011186DA
Sample file is different than original file name gathered from version info
Source: Payment Slip.exe, 00000000.00000000.668340749.0000000000246000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTypeNameNati.exe4 vs Payment Slip.exe
Source: Payment Slip.exe, 00000000.00000002.708859665.0000000002601000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameColladaLoader.dll4 vs Payment Slip.exe
Source: Payment Slip.exe, 00000000.00000002.713221501.0000000006BA0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs Payment Slip.exe
Source: Payment Slip.exe, 00000004.00000002.706578283.0000000000406000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTypeNameNati.exe4 vs Payment Slip.exe
Source: Payment Slip.exe, 00000005.00000002.785702615.00000000018A0000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamecscript.exe` vs Payment Slip.exe
Source: Payment Slip.exe, 00000005.00000002.786961338.0000000001C0F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Slip.exe
Source: Payment Slip.exe, 00000005.00000000.706865213.0000000000DB6000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTypeNameNati.exe4 vs Payment Slip.exe
Source: Payment Slip.exe Binary or memory string: OriginalFilenameTypeNameNati.exe4 vs Payment Slip.exe
PE file contains strange resources
Source: Payment Slip.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uVxomBuy.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\Payment Slip.exe File read: C:\Users\user\Desktop\Payment Slip.exe Jump to behavior
Source: Payment Slip.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment Slip.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment Slip.exe 'C:\Users\user\Desktop\Payment Slip.exe'
Source: C:\Users\user\Desktop\Payment Slip.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uVxomBuy' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F38.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Slip.exe Process created: C:\Users\user\Desktop\Payment Slip.exe C:\Users\user\Desktop\Payment Slip.exe
Source: C:\Users\user\Desktop\Payment Slip.exe Process created: C:\Users\user\Desktop\Payment Slip.exe C:\Users\user\Desktop\Payment Slip.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Slip.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Slip.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uVxomBuy' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F38.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process created: C:\Users\user\Desktop\Payment Slip.exe C:\Users\user\Desktop\Payment Slip.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process created: C:\Users\user\Desktop\Payment Slip.exe C:\Users\user\Desktop\Payment Slip.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Slip.exe' Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe File created: C:\Users\user\AppData\Roaming\uVxomBuy.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe File created: C:\Users\user\AppData\Local\Temp\tmp4F38.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/4@6/5
Source: C:\Users\user\Desktop\Payment Slip.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4044:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Payment Slip.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Payment Slip.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cscript.pdbUGP source: Payment Slip.exe, 00000005.00000002.785702615.00000000018A0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: Payment Slip.exe, 00000005.00000002.785791059.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000D.00000002.934852520.0000000005120000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: Payment Slip.exe, 00000005.00000002.785791059.0000000001960000.00000040.00000001.sdmp, cscript.exe
Source: Binary string: cscript.pdb source: Payment Slip.exe, 00000005.00000002.785702615.00000000018A0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: Payment Slip.exe, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Payment Slip.exe.190000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Payment Slip.exe.190000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Payment Slip.exe.350000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Payment Slip.exe.350000.0.unpack, Darwin.WindowsForm/MainForm.cs .Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4EFB push ds; iretd 0_2_06CF4EFE
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4E7F push cs; iretd 0_2_06CF4EC2
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4FDB push cs; iretd 0_2_06CF4FDE
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4FAD push cs; iretd 0_2_06CF4FBE
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4F61 push es; retf 0_2_06CF4F64
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4F7F push es; iretd 0_2_06CF4F80
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4F3B push cs; iretd 0_2_06CF4F42
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4F31 push es; iretd 0_2_06CF4F3A
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4C9F push ss; iretd 0_2_06CF4CA2
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4CAB push 0000001Ch; iretd 0_2_06CF4CAE
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4C5B push ss; iretd 0_2_06CF4C62
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4DCB push es; retf 0_2_06CF4DCC
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF2DDE push edx; iretd 0_2_06CF2DE0
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4DF1 push ss; iretd 0_2_06CF4DF2
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4D87 push ds; iretd 0_2_06CF4D8A
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4D0F push es; iretd 0_2_06CF4D1A
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF4D37 push es; ret 0_2_06CF4D38
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF521B push es; iretd 0_2_06CF521C
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF5083 push es; iretd 0_2_06CF5088
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF504F push dword ptr [eax]; iretd 0_2_06CF5052
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF5067 push ds; iretd 0_2_06CF5072
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF0007 push es; iretd 0_2_06CF001C
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF51A3 push cs; iretd 0_2_06CF51AA
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF5117 push es; retf 0_2_06CF5118
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 0_2_06CF5123 push es; iretd 0_2_06CF512C
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_0041B85C push eax; ret 5_2_0041B862
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_004160D6 push ss; iretd 5_2_004160D9
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_00415D5A pushfd ; ret 5_2_00415D5F
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_0041A678 push ecx; ret 5_2_0041A679
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_0041B7F2 push eax; ret 5_2_0041B7F8
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_0041B7FB push eax; ret 5_2_0041B862
Source: initial sample Static PE information: section name: .text entropy: 6.9991644311
Source: initial sample Static PE information: section name: .text entropy: 6.9991644311

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Payment Slip.exe File created: C:\Users\user\AppData\Roaming\uVxomBuy.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Payment Slip.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uVxomBuy' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F38.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\cscript.exe Process created: /c del 'C:\Users\user\Desktop\Payment Slip.exe'
Source: C:\Windows\SysWOW64\cscript.exe Process created: /c del 'C:\Users\user\Desktop\Payment Slip.exe' Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.Payment Slip.exe.2658590.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.708859665.0000000002601000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.708947520.000000000268B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Slip.exe PID: 4768, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Payment Slip.exe, 00000000.00000002.708859665.0000000002601000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: Payment Slip.exe, 00000000.00000002.708859665.0000000002601000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Payment Slip.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Payment Slip.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 0000000001108604 second address: 000000000110860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe RDTSC instruction interceptor: First address: 000000000110898E second address: 0000000001108994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Payment Slip.exe TID: 4576 Thread sleep time: -42483s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe TID: 6776 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_004088C0 rdtsc 5_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Payment Slip.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Thread delayed: delay time: 42483 Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Payment Slip.exe, 00000000.00000002.708859665.0000000002601000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.754516320.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Payment Slip.exe, 00000000.00000002.708859665.0000000002601000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.729004409.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.754516320.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.733203652.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000006.00000000.747880132.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000006.00000000.733203652.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: Payment Slip.exe, 00000000.00000002.708859665.0000000002601000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000006.00000000.747880132.0000000004710000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000006.00000000.718875548.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: Payment Slip.exe, 00000000.00000002.708859665.0000000002601000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_004088C0 rdtsc 5_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\Payment Slip.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05149100 mov eax, dword ptr fs:[00000030h] 13_2_05149100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05149100 mov eax, dword ptr fs:[00000030h] 13_2_05149100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05149100 mov eax, dword ptr fs:[00000030h] 13_2_05149100
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05218D34 mov eax, dword ptr fs:[00000030h] 13_2_05218D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05153D34 mov eax, dword ptr fs:[00000030h] 13_2_05153D34
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514AD30 mov eax, dword ptr fs:[00000030h] 13_2_0514AD30
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051CA537 mov eax, dword ptr fs:[00000030h] 13_2_051CA537
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05174D3B mov eax, dword ptr fs:[00000030h] 13_2_05174D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05174D3B mov eax, dword ptr fs:[00000030h] 13_2_05174D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05174D3B mov eax, dword ptr fs:[00000030h] 13_2_05174D3B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517513A mov eax, dword ptr fs:[00000030h] 13_2_0517513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517513A mov eax, dword ptr fs:[00000030h] 13_2_0517513A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05164120 mov eax, dword ptr fs:[00000030h] 13_2_05164120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05164120 mov eax, dword ptr fs:[00000030h] 13_2_05164120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05164120 mov eax, dword ptr fs:[00000030h] 13_2_05164120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05164120 mov eax, dword ptr fs:[00000030h] 13_2_05164120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05164120 mov ecx, dword ptr fs:[00000030h] 13_2_05164120
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05167D50 mov eax, dword ptr fs:[00000030h] 13_2_05167D50
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516B944 mov eax, dword ptr fs:[00000030h] 13_2_0516B944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516B944 mov eax, dword ptr fs:[00000030h] 13_2_0516B944
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05183D43 mov eax, dword ptr fs:[00000030h] 13_2_05183D43
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C3540 mov eax, dword ptr fs:[00000030h] 13_2_051C3540
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516C577 mov eax, dword ptr fs:[00000030h] 13_2_0516C577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516C577 mov eax, dword ptr fs:[00000030h] 13_2_0516C577
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514B171 mov eax, dword ptr fs:[00000030h] 13_2_0514B171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514B171 mov eax, dword ptr fs:[00000030h] 13_2_0514B171
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514C962 mov eax, dword ptr fs:[00000030h] 13_2_0514C962
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05172990 mov eax, dword ptr fs:[00000030h] 13_2_05172990
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517FD9B mov eax, dword ptr fs:[00000030h] 13_2_0517FD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517FD9B mov eax, dword ptr fs:[00000030h] 13_2_0517FD9B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517A185 mov eax, dword ptr fs:[00000030h] 13_2_0517A185
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516C182 mov eax, dword ptr fs:[00000030h] 13_2_0516C182
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05172581 mov eax, dword ptr fs:[00000030h] 13_2_05172581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05172581 mov eax, dword ptr fs:[00000030h] 13_2_05172581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05172581 mov eax, dword ptr fs:[00000030h] 13_2_05172581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05172581 mov eax, dword ptr fs:[00000030h] 13_2_05172581
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05142D8A mov eax, dword ptr fs:[00000030h] 13_2_05142D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05142D8A mov eax, dword ptr fs:[00000030h] 13_2_05142D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05142D8A mov eax, dword ptr fs:[00000030h] 13_2_05142D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05142D8A mov eax, dword ptr fs:[00000030h] 13_2_05142D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05142D8A mov eax, dword ptr fs:[00000030h] 13_2_05142D8A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05171DB5 mov eax, dword ptr fs:[00000030h] 13_2_05171DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05171DB5 mov eax, dword ptr fs:[00000030h] 13_2_05171DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05171DB5 mov eax, dword ptr fs:[00000030h] 13_2_05171DB5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C51BE mov eax, dword ptr fs:[00000030h] 13_2_051C51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C51BE mov eax, dword ptr fs:[00000030h] 13_2_051C51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C51BE mov eax, dword ptr fs:[00000030h] 13_2_051C51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C51BE mov eax, dword ptr fs:[00000030h] 13_2_051C51BE
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051735A1 mov eax, dword ptr fs:[00000030h] 13_2_051735A1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051761A0 mov eax, dword ptr fs:[00000030h] 13_2_051761A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051761A0 mov eax, dword ptr fs:[00000030h] 13_2_051761A0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C69A6 mov eax, dword ptr fs:[00000030h] 13_2_051C69A6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051F8DF1 mov eax, dword ptr fs:[00000030h] 13_2_051F8DF1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0514B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0514B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0514B1E1
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051D41E8 mov eax, dword ptr fs:[00000030h] 13_2_051D41E8
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0515D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0515D5E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C7016 mov eax, dword ptr fs:[00000030h] 13_2_051C7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C7016 mov eax, dword ptr fs:[00000030h] 13_2_051C7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C7016 mov eax, dword ptr fs:[00000030h] 13_2_051C7016
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C6C0A mov eax, dword ptr fs:[00000030h] 13_2_051C6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C6C0A mov eax, dword ptr fs:[00000030h] 13_2_051C6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C6C0A mov eax, dword ptr fs:[00000030h] 13_2_051C6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C6C0A mov eax, dword ptr fs:[00000030h] 13_2_051C6C0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05201C06 mov eax, dword ptr fs:[00000030h] 13_2_05201C06
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0521740D mov eax, dword ptr fs:[00000030h] 13_2_0521740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0521740D mov eax, dword ptr fs:[00000030h] 13_2_0521740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0521740D mov eax, dword ptr fs:[00000030h] 13_2_0521740D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05214015 mov eax, dword ptr fs:[00000030h] 13_2_05214015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05214015 mov eax, dword ptr fs:[00000030h] 13_2_05214015
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517002D mov eax, dword ptr fs:[00000030h] 13_2_0517002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517002D mov eax, dword ptr fs:[00000030h] 13_2_0517002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517002D mov eax, dword ptr fs:[00000030h] 13_2_0517002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517002D mov eax, dword ptr fs:[00000030h] 13_2_0517002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517002D mov eax, dword ptr fs:[00000030h] 13_2_0517002D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517BC2C mov eax, dword ptr fs:[00000030h] 13_2_0517BC2C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515B02A mov eax, dword ptr fs:[00000030h] 13_2_0515B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515B02A mov eax, dword ptr fs:[00000030h] 13_2_0515B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515B02A mov eax, dword ptr fs:[00000030h] 13_2_0515B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515B02A mov eax, dword ptr fs:[00000030h] 13_2_0515B02A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05160050 mov eax, dword ptr fs:[00000030h] 13_2_05160050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05160050 mov eax, dword ptr fs:[00000030h] 13_2_05160050
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DC450 mov eax, dword ptr fs:[00000030h] 13_2_051DC450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DC450 mov eax, dword ptr fs:[00000030h] 13_2_051DC450
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05202073 mov eax, dword ptr fs:[00000030h] 13_2_05202073
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05211074 mov eax, dword ptr fs:[00000030h] 13_2_05211074
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517A44B mov eax, dword ptr fs:[00000030h] 13_2_0517A44B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516746D mov eax, dword ptr fs:[00000030h] 13_2_0516746D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515849B mov eax, dword ptr fs:[00000030h] 13_2_0515849B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05149080 mov eax, dword ptr fs:[00000030h] 13_2_05149080
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C3884 mov eax, dword ptr fs:[00000030h] 13_2_051C3884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C3884 mov eax, dword ptr fs:[00000030h] 13_2_051C3884
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517F0BF mov ecx, dword ptr fs:[00000030h] 13_2_0517F0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517F0BF mov eax, dword ptr fs:[00000030h] 13_2_0517F0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517F0BF mov eax, dword ptr fs:[00000030h] 13_2_0517F0BF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051890AF mov eax, dword ptr fs:[00000030h] 13_2_051890AF
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DB8D0 mov eax, dword ptr fs:[00000030h] 13_2_051DB8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DB8D0 mov ecx, dword ptr fs:[00000030h] 13_2_051DB8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DB8D0 mov eax, dword ptr fs:[00000030h] 13_2_051DB8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DB8D0 mov eax, dword ptr fs:[00000030h] 13_2_051DB8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DB8D0 mov eax, dword ptr fs:[00000030h] 13_2_051DB8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DB8D0 mov eax, dword ptr fs:[00000030h] 13_2_051DB8D0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_052014FB mov eax, dword ptr fs:[00000030h] 13_2_052014FB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C6CF0 mov eax, dword ptr fs:[00000030h] 13_2_051C6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C6CF0 mov eax, dword ptr fs:[00000030h] 13_2_051C6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C6CF0 mov eax, dword ptr fs:[00000030h] 13_2_051C6CF0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05218CD6 mov eax, dword ptr fs:[00000030h] 13_2_05218CD6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516F716 mov eax, dword ptr fs:[00000030h] 13_2_0516F716
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DFF10 mov eax, dword ptr fs:[00000030h] 13_2_051DFF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DFF10 mov eax, dword ptr fs:[00000030h] 13_2_051DFF10
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517A70E mov eax, dword ptr fs:[00000030h] 13_2_0517A70E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517A70E mov eax, dword ptr fs:[00000030h] 13_2_0517A70E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517E730 mov eax, dword ptr fs:[00000030h] 13_2_0517E730
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0521070D mov eax, dword ptr fs:[00000030h] 13_2_0521070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0521070D mov eax, dword ptr fs:[00000030h] 13_2_0521070D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05144F2E mov eax, dword ptr fs:[00000030h] 13_2_05144F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05144F2E mov eax, dword ptr fs:[00000030h] 13_2_05144F2E
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0520131B mov eax, dword ptr fs:[00000030h] 13_2_0520131B
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05218F6A mov eax, dword ptr fs:[00000030h] 13_2_05218F6A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514F358 mov eax, dword ptr fs:[00000030h] 13_2_0514F358
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514DB40 mov eax, dword ptr fs:[00000030h] 13_2_0514DB40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515EF40 mov eax, dword ptr fs:[00000030h] 13_2_0515EF40
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05173B7A mov eax, dword ptr fs:[00000030h] 13_2_05173B7A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05173B7A mov eax, dword ptr fs:[00000030h] 13_2_05173B7A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514DB60 mov ecx, dword ptr fs:[00000030h] 13_2_0514DB60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515FF60 mov eax, dword ptr fs:[00000030h] 13_2_0515FF60
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05218B58 mov eax, dword ptr fs:[00000030h] 13_2_05218B58
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05172397 mov eax, dword ptr fs:[00000030h] 13_2_05172397
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05158794 mov eax, dword ptr fs:[00000030h] 13_2_05158794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05215BA5 mov eax, dword ptr fs:[00000030h] 13_2_05215BA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517B390 mov eax, dword ptr fs:[00000030h] 13_2_0517B390
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C7794 mov eax, dword ptr fs:[00000030h] 13_2_051C7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C7794 mov eax, dword ptr fs:[00000030h] 13_2_051C7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C7794 mov eax, dword ptr fs:[00000030h] 13_2_051C7794
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05151B8F mov eax, dword ptr fs:[00000030h] 13_2_05151B8F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05151B8F mov eax, dword ptr fs:[00000030h] 13_2_05151B8F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051FD380 mov ecx, dword ptr fs:[00000030h] 13_2_051FD380
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0520138A mov eax, dword ptr fs:[00000030h] 13_2_0520138A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05174BAD mov eax, dword ptr fs:[00000030h] 13_2_05174BAD
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05174BAD mov eax, dword ptr fs:[00000030h] 13_2_05174BAD
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05174BAD mov eax, dword ptr fs:[00000030h] 13_2_05174BAD
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C53CA mov eax, dword ptr fs:[00000030h] 13_2_051C53CA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C53CA mov eax, dword ptr fs:[00000030h] 13_2_051C53CA
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051837F5 mov eax, dword ptr fs:[00000030h] 13_2_051837F5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051703E2 mov eax, dword ptr fs:[00000030h] 13_2_051703E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051703E2 mov eax, dword ptr fs:[00000030h] 13_2_051703E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051703E2 mov eax, dword ptr fs:[00000030h] 13_2_051703E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051703E2 mov eax, dword ptr fs:[00000030h] 13_2_051703E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051703E2 mov eax, dword ptr fs:[00000030h] 13_2_051703E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051703E2 mov eax, dword ptr fs:[00000030h] 13_2_051703E2
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514AA16 mov eax, dword ptr fs:[00000030h] 13_2_0514AA16
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514AA16 mov eax, dword ptr fs:[00000030h] 13_2_0514AA16
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05163A1C mov eax, dword ptr fs:[00000030h] 13_2_05163A1C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517A61C mov eax, dword ptr fs:[00000030h] 13_2_0517A61C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517A61C mov eax, dword ptr fs:[00000030h] 13_2_0517A61C
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514C600 mov eax, dword ptr fs:[00000030h] 13_2_0514C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514C600 mov eax, dword ptr fs:[00000030h] 13_2_0514C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514C600 mov eax, dword ptr fs:[00000030h] 13_2_0514C600
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05178E00 mov eax, dword ptr fs:[00000030h] 13_2_05178E00
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05158A0A mov eax, dword ptr fs:[00000030h] 13_2_05158A0A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051FFE3F mov eax, dword ptr fs:[00000030h] 13_2_051FFE3F
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0514E620 mov eax, dword ptr fs:[00000030h] 13_2_0514E620
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05218A62 mov eax, dword ptr fs:[00000030h] 13_2_05218A62
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051D4257 mov eax, dword ptr fs:[00000030h] 13_2_051D4257
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05149240 mov eax, dword ptr fs:[00000030h] 13_2_05149240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05149240 mov eax, dword ptr fs:[00000030h] 13_2_05149240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05149240 mov eax, dword ptr fs:[00000030h] 13_2_05149240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05149240 mov eax, dword ptr fs:[00000030h] 13_2_05149240
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05157E41 mov eax, dword ptr fs:[00000030h] 13_2_05157E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05157E41 mov eax, dword ptr fs:[00000030h] 13_2_05157E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05157E41 mov eax, dword ptr fs:[00000030h] 13_2_05157E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05157E41 mov eax, dword ptr fs:[00000030h] 13_2_05157E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05157E41 mov eax, dword ptr fs:[00000030h] 13_2_05157E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05157E41 mov eax, dword ptr fs:[00000030h] 13_2_05157E41
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0518927A mov eax, dword ptr fs:[00000030h] 13_2_0518927A
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516AE73 mov eax, dword ptr fs:[00000030h] 13_2_0516AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516AE73 mov eax, dword ptr fs:[00000030h] 13_2_0516AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516AE73 mov eax, dword ptr fs:[00000030h] 13_2_0516AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516AE73 mov eax, dword ptr fs:[00000030h] 13_2_0516AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0516AE73 mov eax, dword ptr fs:[00000030h] 13_2_0516AE73
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515766D mov eax, dword ptr fs:[00000030h] 13_2_0515766D
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051FB260 mov eax, dword ptr fs:[00000030h] 13_2_051FB260
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051FB260 mov eax, dword ptr fs:[00000030h] 13_2_051FB260
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517D294 mov eax, dword ptr fs:[00000030h] 13_2_0517D294
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517D294 mov eax, dword ptr fs:[00000030h] 13_2_0517D294
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05210EA5 mov eax, dword ptr fs:[00000030h] 13_2_05210EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05210EA5 mov eax, dword ptr fs:[00000030h] 13_2_05210EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05210EA5 mov eax, dword ptr fs:[00000030h] 13_2_05210EA5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051DFE87 mov eax, dword ptr fs:[00000030h] 13_2_051DFE87
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515AAB0 mov eax, dword ptr fs:[00000030h] 13_2_0515AAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0515AAB0 mov eax, dword ptr fs:[00000030h] 13_2_0515AAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_0517FAB0 mov eax, dword ptr fs:[00000030h] 13_2_0517FAB0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051452A5 mov eax, dword ptr fs:[00000030h] 13_2_051452A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051452A5 mov eax, dword ptr fs:[00000030h] 13_2_051452A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051452A5 mov eax, dword ptr fs:[00000030h] 13_2_051452A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051452A5 mov eax, dword ptr fs:[00000030h] 13_2_051452A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051452A5 mov eax, dword ptr fs:[00000030h] 13_2_051452A5
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051C46A7 mov eax, dword ptr fs:[00000030h] 13_2_051C46A7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051736CC mov eax, dword ptr fs:[00000030h] 13_2_051736CC
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05172ACB mov eax, dword ptr fs:[00000030h] 13_2_05172ACB
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051FFEC0 mov eax, dword ptr fs:[00000030h] 13_2_051FFEC0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05188EC7 mov eax, dword ptr fs:[00000030h] 13_2_05188EC7
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05172AE4 mov eax, dword ptr fs:[00000030h] 13_2_05172AE4
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051716E0 mov ecx, dword ptr fs:[00000030h] 13_2_051716E0
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_05218ED6 mov eax, dword ptr fs:[00000030h] 13_2_05218ED6
Source: C:\Windows\SysWOW64\cscript.exe Code function: 13_2_051576E2 mov eax, dword ptr fs:[00000030h] 13_2_051576E2
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Payment Slip.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Payment Slip.exe Code function: 5_2_00409B30 LdrLoadDll, 5_2_00409B30
Source: C:\Users\user\Desktop\Payment Slip.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 45.207.75.185 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.b0ay.com
Source: C:\Windows\explorer.exe Network Connect: 75.102.22.71 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.00333v.com
Source: C:\Windows\explorer.exe Domain query: www.interweavelife.com
Source: C:\Windows\explorer.exe Domain query: www.yuumgo.academy
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.axswallet.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.39.212.49 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Payment Slip.exe Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 11F0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Payment Slip.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Payment Slip.exe Memory written: C:\Users\user\Desktop\Payment Slip.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Payment Slip.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Payment Slip.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Thread register set: target process: 3424 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment Slip.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uVxomBuy' /XML 'C:\Users\user\AppData\Local\Temp\tmp4F38.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process created: C:\Users\user\Desktop\Payment Slip.exe C:\Users\user\Desktop\Payment Slip.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Process created: C:\Users\user\Desktop\Payment Slip.exe C:\Users\user\Desktop\Payment Slip.exe Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment Slip.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.746546416.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000006.00000000.710234796.0000000001080000.00000002.00020000.sdmp, cscript.exe, 0000000D.00000002.934610574.00000000039E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.710234796.0000000001080000.00000002.00020000.sdmp, cscript.exe, 0000000D.00000002.934610574.00000000039E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.710234796.0000000001080000.00000002.00020000.sdmp, cscript.exe, 0000000D.00000002.934610574.00000000039E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.710234796.0000000001080000.00000002.00020000.sdmp, cscript.exe, 0000000D.00000002.934610574.00000000039E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.733203652.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Users\user\Desktop\Payment Slip.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Slip.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.Payment Slip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Payment Slip.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.782630909.0000000001760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.934465123.0000000003320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.782784962.0000000001790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.734770163.000000000DA63000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.933954904.0000000001100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.778404636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.757013579.000000000DA63000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.934788453.0000000004FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.709746313.0000000003601000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 5.2.Payment Slip.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.Payment Slip.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.782630909.0000000001760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.934465123.0000000003320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.782784962.0000000001790000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.734770163.000000000DA63000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.933954904.0000000001100000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.778404636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.757013579.000000000DA63000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.934788453.0000000004FD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.709746313.0000000003601000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491436 Sample: Payment Slip.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 39 www.relativewifi.com 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 9 other signatures 2->53 11 Payment Slip.exe 7 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\tmp4F38.tmp, XML 11->35 dropped 37 C:\Users\user\AppData\Roaming\uVxomBuy.exe, PE32 11->37 dropped 57 Injects a PE file into a foreign processes 11->57 15 Payment Slip.exe 11->15         started        18 schtasks.exe 1 11->18         started        20 Payment Slip.exe 11->20         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 22 explorer.exe 15->22 injected 26 conhost.exe 18->26         started        process9 dnsIp10 41 www.b0ay.com 45.207.75.185, 49841, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 22->41 43 yuumgo.academy 75.102.22.71, 49840, 80 SERVERCENTRALUS United States 22->43 45 6 other IPs or domains 22->45 55 System process connects to network (likely due to code injection or exploit) 22->55 28 cscript.exe 22->28         started        signatures11 process12 signatures13 59 Self deletion via cmd delete 28->59 61 Modifies the context of a thread in another process (thread injection) 28->61 63 Maps a DLL or memory area into another process 28->63 65 Tries to detect virtualization through RDTSC time measurements 28->65 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.207.75.185
 www.b0ay.com Seychelles
136800 XIAOZHIYUN1-AS-APICIDCNETWORKUS true
34.102.136.180
 interweavelife.com United States
15169 GOOGLEUS false
198.54.117.211
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
45.39.212.49
 www.00333v.com United States
18779 EGIHOSTINGUS true
75.102.22.71
 yuumgo.academy United States
23352 SERVERCENTRALUS true

Contacted Domains

Name IP Active
www.00333v.com 45.39.212.49 true
interweavelife.com 34.102.136.180 true
www.b0ay.com 45.207.75.185 true
www.relativewifi.com 170.75.251.7 true
parkingpage.namecheap.com 198.54.117.211 true
yuumgo.academy 75.102.22.71 true
www.interweavelife.com unknown unknown
www.yuumgo.academy unknown unknown
www.axswallet.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.b0ay.com/qfff/?h0Dpm=0w7wS7Gxy1y5PVkYFF5lNTBCNhhGoi1bMCJY/cwIOuW+ZMKS9RSTzNeIK/4fDqykK2MY&zVsX=A0Gd4dmxD4WpN true
  • Avira URL Cloud: safe
 unknown
www.yuumgo.academy/qfff/ true
  • Avira URL Cloud: safe
 low
http://www.interweavelife.com/qfff/?h0Dpm=vpb6mGWiOxgVIXv3RY5+KwgpuQ4maEKqCh4MrndOejQXnr3fUcd6GXEqF18QrWYsNfL0&zVsX=A0Gd4dmxD4WpN false
  • Avira URL Cloud: safe
 unknown
http://www.axswallet.com/qfff/?zVsX=A0Gd4dmxD4WpN&h0Dpm=WUvvsVcot/hHbudm+hsx8n+3xo5kp+HgCKvLXtoOkn7qJe0B64lU7/LdjKxnrj37XfZ9 true
  • Avira URL Cloud: safe
 unknown
http://www.yuumgo.academy/qfff/?zVsX=A0Gd4dmxD4WpN&h0Dpm=iDjkn8VHWDd5B+WgyzOmaYrOSSt87z3Zq6ekoRCiL96i4fBr+80owih/KVqhv8s04Bt0 true
  • Avira URL Cloud: safe
 unknown
http://www.00333v.com/qfff/?zVsX=A0Gd4dmxD4WpN&h0Dpm=EtMhOrO65XWqZe1V/yWpI1DgXrgEJw48YTYdNBZuHNrU3gzc/ZcPLe5HxHKJImHY7C2C true
  • Avira URL Cloud: safe
 unknown