Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://www.mediafire.com/file/9gqqmzveuoh1gqc/Confirmation+of+Payment.tgz/file

Overview

General Information

Sample URL:https://www.mediafire.com/file/9gqqmzveuoh1gqc/Confirmation+of+Payment.tgz/file
Analysis ID:1466754
Infos:

Detection

AgentTesla
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected Telegram RAT
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 7104 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.mediafire.com/file/9gqqmzveuoh1gqc/Confirmation+of+Payment.tgz/file MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6208 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1936,i,2450979188603776666,51600716851127357,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • OpenWith.exe (PID: 5936 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • OpenWith.exe (PID: 3736 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
    • 7z.exe (PID: 7648 cmdline: "C:\Program Files\7-Zip\7z.exe" "C:\Users\user\Downloads\Confirmation of Payment.tgz" MD5: 9A1DD1D96481D61934DCC2D568971D06)
      • conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • OpenWith.exe (PID: 7732 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
    • 7zG.exe (PID: 7920 cmdline: "C:\Program Files\7-Zip\7zG.exe" "C:\Users\user\Downloads\Confirmation of Payment.tgz" MD5: 50F289DF0C19484E970849AAC4E6F977)
  • 7zFM.exe (PID: 1360 cmdline: "C:\Program Files\7-Zip\7zFM.exe" MD5: 30AC0B832D75598FB3EC37B6F2A8C86A)
    • Confirmation of Payment.exe (PID: 1640 cmdline: "C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe" MD5: 99E6F6EE55FB91D2FD30F460954A2C9A)
      • schtasks.exe (PID: 5928 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Confirmation of Payment.exe (PID: 1508 cmdline: "C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe" MD5: 99E6F6EE55FB91D2FD30F460954A2C9A)
  • rundll32.exe (PID: 3492 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.2396793845.0000000004237000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000018.00000002.2396793845.0000000004237000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000018.00000002.2396793845.0000000004237000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security

        Sigma Signatures

        Sigma detected: Suspicious Add Scheduled Task Parent
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe, ParentProcessId: 1640, ParentProcessName: Confirmation of Payment.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp", ProcessId: 5928, ProcessName: schtasks.exe
        Sigma detected: Suspicious Schtasks From Env Var Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe, ParentProcessId: 1640, ParentProcessName: Confirmation of Payment.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp", ProcessId: 5928, ProcessName: schtasks.exe

        Persistence and Installation Behavior

        barindex
        Sigma detected: Scheduled temp file as task from temp location
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe, ParentProcessId: 1640, ParentProcessName: Confirmation of Payment.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp", ProcessId: 5928, ProcessName: schtasks.exe

        Snort Signatures

        Timestamp:07/03/24-10:56:16.977458
        SID:2851779
        Source Port:49723
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results
        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49712 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49715 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49717 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49718 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.16:49723 version: TLS 1.2

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.16:49723 -> 149.154.167.220:443
        Uses the Telegram API (likely for C&C communication)
        Source: unknownDNS query: name: api.telegram.org
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
        Source: global trafficDNS traffic detected: DNS query: www.mediafire.com
        Source: global trafficDNS traffic detected: DNS query: download2438.mediafire.com
        Source: global trafficDNS traffic detected: DNS query: www.google.com
        Source: global trafficDNS traffic detected: DNS query: api.telegram.org
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
        Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49712 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49715 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.200:443 -> 192.168.2.16:49717 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.16:49718 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.16:49723 version: TLS 1.2
        Source: classification engineClassification label: mal80.troj.win@32/8@9/87
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\cfced784-b5de-4813-9184-eb503aabf06e.tmp
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMutant created: NULL
        Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
        Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
        Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5936:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMutant created: \Sessions\1\BaseNamedObjects\DUagELbv
        Source: C:\Program Files\7-Zip\7zFM.exeFile created: C:\Users\user\AppData\Local\Temp\7zO0556825B
        Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.ini
        Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.mediafire.com/file/9gqqmzveuoh1gqc/Confirmation+of+Payment.tgz/file
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1936,i,2450979188603776666,51600716851127357,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
        Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1936,i,2450979188603776666,51600716851127357,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" "C:\Users\user\Downloads\Confirmation of Payment.tgz"
        Source: C:\Program Files\7-Zip\7z.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
        Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" "C:\Users\user\Downloads\Confirmation of Payment.tgz"
        Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" "C:\Users\user\Downloads\Confirmation of Payment.tgz"
        Source: unknownProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe"
        Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" "C:\Users\user\Downloads\Confirmation of Payment.tgz"
        Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe "C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe"
        Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe "C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe"
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp"
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess created: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe "C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp"
        Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ninput.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: explorerframe.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dataexchange.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: msftedit.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.globalization.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: globinputhost.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: structuredquery.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: atlthunk.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.fileexplorer.common.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.search.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: linkinfo.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ntshrui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: cscapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: winmm.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: networkexplorer.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ehstorshell.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: cscui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: smartscreenps.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: shdocvw.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: pcacli.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sfc_os.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ninput.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: explorerframe.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: dataexchange.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: msftedit.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.globalization.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: globinputhost.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: structuredquery.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: atlthunk.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.fileexplorer.common.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.search.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: linkinfo.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ntshrui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: cscapi.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: winmm.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: ehstorshell.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: cscui.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: networkexplorer.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: smartscreenps.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: shdocvw.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: pcacli.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\OpenWith.exeSection loaded: sfc_os.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: uxtheme.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textshaping.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: textinputframework.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coreuicomponents.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: ntmarta.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: coremessaging.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
        Source: C:\Program Files\7-Zip\7zG.exeSection loaded: wintypes.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: uxtheme.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textshaping.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.storage.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wldp.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windowscodecs.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: profapi.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: propsys.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: thumbcache.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: policymanager.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: msvcp110_win.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textinputframework.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coreuicomponents.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coremessaging.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: ntmarta.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dataexchange.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: d3d11.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dcomp.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dxgi.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: twinapi.appcore.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: mrmcorer.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: iertutil.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.staterepositorycore.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: bcp47mrm.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.ui.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windowmanagementapi.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: inputhost.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: edputil.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wkscli.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: netutils.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: provsvc.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: apphelp.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: explorerframe.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: cryptbase.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: urlmon.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: srvcli.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: sspicli.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appresolver.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: bcp47langs.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: slc.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: userenv.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: sppc.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: pcacli.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: mpr.dll
        Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: sfc_os.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: mscoree.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: apphelp.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: version.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: wldp.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: profapi.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: cryptsp.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: rsaenh.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: cryptbase.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: dwrite.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: textshaping.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: amsi.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: userenv.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: msasn1.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: gpapi.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: windowscodecs.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: ntmarta.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: sspicli.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: propsys.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: edputil.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: urlmon.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: iertutil.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: srvcli.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: netutils.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: wintypes.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: appresolver.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: bcp47langs.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: slc.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: sppc.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Windows\system32\MsftEdit.dll
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

        Boot Survival

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedules
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\7-Zip\7zFM.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: 31E0000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: 31E0000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: 51E0000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: 9180000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: A180000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: A380000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: B380000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: B770000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: C770000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: D770000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: E910000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: F910000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: 10910000 memory reserve | memory write watch
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: 11910000 memory reserve | memory write watch
        Source: C:\Windows\System32\OpenWith.exe TID: 3524Thread sleep count: 84 > 30
        Source: C:\Windows\System32\OpenWith.exe TID: 7736Thread sleep count: 50 > 30
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeMemory allocated: page read and write | page guard
        Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7z.exe "C:\Program Files\7-Zip\7z.exe" "C:\Users\user\Downloads\Confirmation of Payment.tgz"
        Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" "C:\Users\user\Downloads\Confirmation of Payment.tgz"
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xZEHZz" /XML "C:\Users\user\AppData\Local\Temp\tmp379D.tmp"
        Source: C:\Program Files\7-Zip\7zFM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
        Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\Users\user\Documents\My Music VolumeInformation
        Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\Users\user\Application Data VolumeInformation
        Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\Users\user\Cookies VolumeInformation
        Source: C:\Program Files\7-Zip\7zFM.exeQueries volume information: C:\Users\user\SendTo VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exe VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\userbril.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\userbrii.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\userbrili.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\userFR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\userFI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\userFB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\userST.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\userSTI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\userSTB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\userSTBI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\AppData\Local\Temp\7zO0551BC5B\Confirmation of Payment.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000018.00000002.2396793845.0000000004237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Yara detected Telegram RAT
        Source: Yara matchFile source: 00000018.00000002.2396793845.0000000004237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000018.00000002.2396793845.0000000004237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000018.00000002.2396793845.0000000004237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Yara detected Telegram RAT
        Source: Yara matchFile source: 00000018.00000002.2396793845.0000000004237000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Scheduled Task/Job        		1
        Scheduled Task/Job        		11
        Process Injection        		1
        Masquerading        		OS Credential Dumping2
        Virtualization/Sandbox Evasion        		Remote ServicesData from Local System1
        Web Service        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        Registry Run Keys / Startup Folder        		1
        Scheduled Task/Job        		2
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media2
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        DLL Side-Loading        		1
        Registry Run Keys / Startup Folder        		1
        Disable or Modify Tools        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        DLL Side-Loading        		11
        Process Injection        		NTDS22
        System Information Discovery        		Distributed Component Object ModelInput Capture2
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Rundll32        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        https://www.mediafire.com/file/9gqqmzveuoh1gqc/Confirmation+of+Payment.tgz/file0%VirustotalBrowse
        https://www.mediafire.com/file/9gqqmzveuoh1gqc/Confirmation+of+Payment.tgz/file0%Avira URL Cloudsafe

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        www.mediafire.com0%VirustotalBrowse
        download2438.mediafire.com0%VirustotalBrowse
        www.google.com0%VirustotalBrowse
        api.telegram.org2%VirustotalBrowse

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        www.mediafire.com
        		104.16.113.74
        		truefalseunknown
        download2438.mediafire.com
        		199.91.155.179
        		truefalseunknown
        www.google.com
        		172.217.18.4
        		truefalseunknown
        api.telegram.org
        		149.154.167.220
        		truetrueunknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        104.16.113.74
        		www.mediafire.comUnited States
        		13335CLOUDFLARENETUSfalse
        239.255.255.250
        		unknownReserved
        		unknownunknownfalse
        172.217.18.4
        		www.google.comUnited States
        		15169GOOGLEUSfalse
        64.233.184.84
        		unknownUnited States
        		15169GOOGLEUSfalse
        142.250.186.110
        		unknownUnited States
        		15169GOOGLEUSfalse
        142.250.184.238
        		unknownUnited States
        		15169GOOGLEUSfalse
        142.250.185.227
        		unknownUnited States
        		15169GOOGLEUSfalse
        199.91.155.179
        		download2438.mediafire.comUnited States
        		46179MEDIAFIREUSfalse
        216.58.206.35
        		unknownUnited States
        		15169GOOGLEUSfalse

        Private

        IP
        192.168.2.16

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1466754
        Start date and time:2024-07-03 10:53:40 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Sample URL:https://www.mediafire.com/file/9gqqmzveuoh1gqc/Confirmation+of+Payment.tgz/file
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:30
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • EGA enabled
        Analysis Mode:stream
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal80.troj.win@32/8@9/87

        Warnings

        • Exclude process from analysis (whitelisted): svchost.exe
        • Excluded IPs from analysis (whitelisted): 142.250.185.227, 142.250.184.238, 64.233.184.84, 34.104.35.123, 199.232.210.172
        • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Created / dropped Files

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 3 07:54:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2673
        Entropy (8bit):3.991356023616002
        Encrypted:false
        SSDEEP:
        MD5:F5E0E7247996F820CEB047EA49F7F7F4
        SHA1:56317BBA1E4057E2EB3A86BAA93D90D7F3C56529
        SHA-256:4BD791A85BA84712F9B28FA6A1B37C3F3E2B84136A0327DA75D61DDAEC32E7FD
        SHA-512:528F18602CB747E65323CBE210E01FADCBAA05A4ECA0DC9255AF2E0E463541BDABF1D584F096F57C6312D635B41B41F5BBF61B960A8A2BA21FD25881B224AF28
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,....u6Z.&...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.F....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.F...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 3 07:54:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2675
        Entropy (8bit):4.008006540675918
        Encrypted:false
        SSDEEP:
        MD5:AFDD849B8609B94C6B3FBBE28CC60369
        SHA1:5CFEABDBF49328CEC010621A2361E43DC4476ECB
        SHA-256:91534DC296D379D625244EA266CBB91C7707B554C4CCA9C1C7CB5940A805A121
        SHA-512:A34E31C303A9A7DC0AF6BC8035330113B749551D6D3F1724E1B0FC865089756E916C24DC72300CF4730558692A0291141837A92473F2663FC1679000626D0890
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,.....=M.&...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.F....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.F...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2689
        Entropy (8bit):4.013367087713471
        Encrypted:false
        SSDEEP:
        MD5:92EC5BF84DCC0ED98BA1941184CD0F84
        SHA1:30E1915E7622C66F6519837B70B2C1950CBBE4E2
        SHA-256:0214A4199ED2B7CC05A6C6751B8018DE23EC45EF4A2DBBA419B8A07337DE175A
        SHA-512:720E79E2B78D584F69C3BDCCE6D3BC28BFBED00B62EC79F67354D1915F06B1A73EF934EDFEE7778F63D76AD08BD789B0DCB0A87CF57BC04EF20F9936DD8A22DA
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.F....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 3 07:54:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2677
        Entropy (8bit):4.0065547010523455
        Encrypted:false
        SSDEEP:
        MD5:66C5FED725F2CBD6373BD42F2F4BCA21
        SHA1:21CFA7037A2E9C5A991D8BA4D7496457B500067F
        SHA-256:716EAC5FC8853C330350225846E636BF52F0BE5E6F8895AB527F5043866159D7
        SHA-512:52F06FE2F53AF7E0D1AB4FF677CAE735463A1BCFA4CDCD0B8C5D26CC33DEA54975CF2047D128067B9562FAB44051218FF319C20FE52F80215EA5102DDC986692
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,.....#G.&...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.F....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.F...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 3 07:54:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2677
        Entropy (8bit):3.9956133408120063
        Encrypted:false
        SSDEEP:
        MD5:E033812A2BA7E0A9E1B6D47FAB6C580F
        SHA1:27C720FD9ADBB4605F5AADB1B5DBF23D66407CDA
        SHA-256:0210FBF69728823EDFFFC375657E82B557C2F3AB5353C784441EED534A9A76A1
        SHA-512:9BAF7F0E655102609418A4CCC37D070A773D914A638553BE299E253E430B42D375190FD5EB13383BBB83683EC4E54B65ED053306A46A93217C2FFFEBD6A2C5DA
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,......T.&...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.F....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.F...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 3 07:54:07 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
        Category:dropped
        Size (bytes):2679
        Entropy (8bit):4.004760258989806
        Encrypted:false
        SSDEEP:
        MD5:AC74A5AA95511427E3B629EB85283692
        SHA1:4CDAA3F6530861DB8A5B6932246D76B894ED7ED9
        SHA-256:2217D511CB75D140FBA19AC1649DA3693AEBF4B472478979E193B8D1F766DE01
        SHA-512:B975A8E1912611A17F660D289F7D46BD4594C1796B7008E6D07A34EE6909E1225032F977C9723C11C4B8DF88A467FD06C6265F6448E6ABDE7490F70368595C32
        Malicious:false
        Reputation:unknown
        Preview:L..................F.@.. ...$+.,......>.&...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.F....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.F...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

        C:\Users\user\Downloads\Confirmation of Payment.tgz (copy)

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:gzip compressed data, last modified: Wed Jul 3 04:48:39 2024, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 820001792
        Category:dropped
        Size (bytes):0
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:
        MD5:8CCA575545C30962C90CD62BEF7D50F9
        SHA1:7963B601D9A63D074D760A70B8B3D2743C001E86
        SHA-256:DFBFF3011CB624680480C2DBB5F2E82EA55C11AED6723D54CB653A4644AA3AF0
        SHA-512:D780A66300F825F7A2D41255B9071BC968D066094F3A810DB822F3BB7A72670055EEECC7CF31AE1465FFF1BCD0C0F42DB437092A9B69F9FDA11472DE57F92BB2
        Malicious:false
        Reputation:unknown
        Preview:....'.f....|\.8<......J.*.%....-..1.b..cd.06.0..Y..#...f...N.5..........@.%..B.....%..S.V..y....3hv..3g..9S.....O[.aMi]K...+7..z...\-...u....'./.s~'uL...?n...N.4a....;.......$:..8.....V.!........eW.....o..!.S....v.....H.]...yL[..!.O^...\:....W.[W..juKy.5.Z..vD.i..V.N&c....s.X......;..+.kq.j...........g....u.[..W.$..(z..BT....C.......{..J.L......_...@..Wx..gn@...\XV....F....#..G1.~/.{.f........W%.o...g....y.EH....o.!.M..0.}M......bg:..<.jBH..I.X/x.zM..?A.1.C.dh....{./X...C!..l}....J-...'.8.hH..+.uHk.....aVt.8.t..=..[...."......n.!f.....*...H>B..Zn.<.I...{.8..0...#$...NB....H.6:?A.tCic.pi....XB!.....h.$.....x'.-...v..-.....L.x).I..1..AQBP.....?#....v...#c@.r...'...x .`vw ..2a...D.Q........f..i+....`uJ.4.j.X...)k....NU:.;.....M...d..B...r.......-..U..!.&.P.K..gi.V.O2.......*v......B...~.D.k.Q......e.K......j.!%.;.yX....fc.P....,.....Y.D.Y*..?..6`..P....`..!.ChTalsA.L@....k`Y'.L..E..Nt..I..a.P....?...1.e..s.Q.d.6..k.u..3J....|'n..F?.e..\._

        C:\Users\user\Downloads\Confirmation of Payment.tgz.crdownload

        Download File
        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
        File Type:gzip compressed data, last modified: Wed Jul 3 04:48:39 2024, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 820001792
        Category:dropped
        Size (bytes):1495961
        Entropy (8bit):4.7502678298401735
        Encrypted:false
        SSDEEP:
        MD5:8CCA575545C30962C90CD62BEF7D50F9
        SHA1:7963B601D9A63D074D760A70B8B3D2743C001E86
        SHA-256:DFBFF3011CB624680480C2DBB5F2E82EA55C11AED6723D54CB653A4644AA3AF0
        SHA-512:D780A66300F825F7A2D41255B9071BC968D066094F3A810DB822F3BB7A72670055EEECC7CF31AE1465FFF1BCD0C0F42DB437092A9B69F9FDA11472DE57F92BB2
        Malicious:false
        Reputation:unknown
        Preview:....'.f....|\.8<......J.*.%....-..1.b..cd.06.0..Y..#...f...N.5..........@.%..B.....%..S.V..y....3hv..3g..9S.....O[.aMi]K...+7..z...\-...u....'./.s~'uL...?n...N.4a....;.......$:..8.....V.!........eW.....o..!.S....v.....H.]...yL[..!.O^...\:....W.[W..juKy.5.Z..vD.i..V.N&c....s.X......;..+.kq.j...........g....u.[..W.$..(z..BT....C.......{..J.L......_...@..Wx..gn@...\XV....F....#..G1.~/.{.f........W%.o...g....y.EH....o.!.M..0.}M......bg:..<.jBH..I.X/x.zM..?A.1.C.dh....{./X...C!..l}....J-...'.8.hH..+.uHk.....aVt.8.t..=..[...."......n.!f.....*...H>B..Zn.<.I...{.8..0...#$...NB....H.6:?A.tCic.pi....XB!.....h.$.....x'.-...v..-.....L.x).I..1..AQBP.....?#....v...#c@.r...'...x .`vw ..2a...D.Q........f..i+....`uJ.4.j.X...)k....NU:.;.....M...d..B...r.......-..U..!.&.P.K..gi.V.O2.......*v......B...~.D.k.Q......e.K......j.!%.;.yX....fc.P....,.....Y.D.Y*..?..6`..P....`..!.ChTalsA.L@....k`Y'.L..E..Nt..I..a.P....?...1.e..s.Q.d.6..k.u..3J....|'n..F?.e..\._

        \Device\ConDrv

        Download File
        Process:C:\Program Files\7-Zip\7z.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):174
        Entropy (8bit):5.153247649042445
        Encrypted:false
        SSDEEP:
        MD5:FB4B15BA046D226750AD118A27E69E15
        SHA1:FFBA4830695FE3BE387FF24C9453C1E50B6C3A22
        SHA-256:CF5B79873580C2C6D2413665AD284B0D3F09EDDBF25290A1308DE03DF046A268
        SHA-512:775B5F6D757A9ECE0DC566009612DE59CEDADEF155B0916C65AD40FD1A54F1693CBF2B43C278A19D9CA8E4A8015A712F007AC99D56EEA9F3939D0BD3351B9DB9
        Malicious:false
        Reputation:unknown
        Preview:..7-Zip 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20........Command Line Error:..Unsupported command:..C:\Users\user\Downloads\Confirmation of Payment.tgz..

        Static File Info

        No static file info