Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PAYMENT.exe

Overview

General Information

Sample Name:PAYMENT.exe
Analysis ID:630594
MD5:a9689bd1bb2b039f942c9c8bbd15e971
SHA1:0c678d805133fe6d378ae394983ce76f09f3b85c
SHA256:6671b97510130afebab128394a4ffb92ac0bba46012f87e736dc1d402254a1ad
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Initial sample is a PE file and has a suspicious name
Executable has a suspicious name (potential lure to open the executable)
.NET source code contains potential unpacker
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains strange resources
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Checks if the current process is being debugged
Detected potential crypto function
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • PAYMENT.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\PAYMENT.exe" MD5: A9689BD1BB2B039F942C9C8BBD15E971)
    • WerFault.exe (PID: 6208 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1504 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: PAYMENT.exeVirustotal: Detection: 20%Perma Link
Source: PAYMENT.exeReversingLabs: Detection: 17%
Source: PAYMENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: PAYMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Core.ni.pdbRSDSD source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Xml.ni.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: PAYMENT.PDB source: PAYMENT.exe, 00000000.00000000.349269451.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp, PAYMENT.exe, 00000000.00000002.367465136.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.ni.pdbRSDS source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Configuration.ni.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Configuration.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Xml.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Core.ni.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Windows.Forms.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Configuration.pdbMZ@ source: WER76CA.tmp.dmp.14.dr
Source: Binary string: mscorlib.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Drawing.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: mscorlib.ni.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Drawing.pdbx source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.pdb3 source: WER76CA.tmp.dmp.14.dr
Source: Binary string: C:\Users\user\Desktop\PAYMENT.PDB source: PAYMENT.exe, 00000000.00000000.349269451.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp, PAYMENT.exe, 00000000.00000002.367465136.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Core.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: j,C:\Windows\System.pdb source: PAYMENT.exe, 00000000.00000000.349269451.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp, PAYMENT.exe, 00000000.00000002.367465136.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.ni.pdb source: WER76CA.tmp.dmp.14.dr
Source: global trafficTCP traffic: 192.168.2.3:49740 -> 185.222.58.237:80
Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.237
Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.237
Source: unknownTCP traffic detected without corresponding DNS query: 185.222.58.237
Source: PAYMENT.exe, 00000000.00000002.367849517.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.222.58.237
Source: PAYMENT.exe, PAYMENT.exe, 00000000.00000002.367849517.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.222.58.237/Bjlzvqo_Ulimyrho.jpg
Source: PAYMENT.exeString found in binary or memory: http://185.222.58.237/Bjlzvqo_Ulimyrho.jpg;Bgzdedgvpv.Dhhsgjqzaeylvzlfho/Yhqysblupdqavjokvsliuor7Pyb
Source: PAYMENT.exe, 00000000.00000002.368269484.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.222.58.2374
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
Source: PAYMENT.exe, 00000000.00000002.367849517.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

System Summary

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sampleStatic PE information: Filename: PAYMENT.exe
Executable has a suspicious name (potential lure to open the executable)
Source: PAYMENT.exeStatic file information: Suspicious name
Source: PAYMENT.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: PAYMENT.exeBinary or memory string: OriginalFilename vs PAYMENT.exe
Source: PAYMENT.exe, 00000000.00000000.349269451.0000000000CF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PAYMENT.exe
Source: PAYMENT.exe, 00000000.00000000.351829507.00000000008F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBjlzvqo.exe< vs PAYMENT.exe
Source: PAYMENT.exe, 00000000.00000002.367465136.0000000000CF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PAYMENT.exe
Source: PAYMENT.exeBinary or memory string: OriginalFilenameBjlzvqo.exe< vs PAYMENT.exe
Source: C:\Users\user\Desktop\PAYMENT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1504
Source: PAYMENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_0119D16C0_2_0119D16C
Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_0119D1600_2_0119D160
Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_0119B2EC0_2_0119B2EC
Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_0119F5FA0_2_0119F5FA
Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_0119DB710_2_0119DB71
Source: C:\Users\user\Desktop\PAYMENT.exeCode function: 0_2_0119DB800_2_0119DB80
Source: PAYMENT.exeVirustotal: Detection: 20%
Source: PAYMENT.exeReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\PAYMENT.exeFile read: C:\Users\user\Desktop\PAYMENT.exeJump to behavior
Source: PAYMENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT.exe "C:\Users\user\Desktop\PAYMENT.exe"
Source: C:\Users\user\Desktop\PAYMENT.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1504
Source: C:\Users\user\Desktop\PAYMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6396
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER76CA.tmpJump to behavior
Source: classification engineClassification label: mal60.evad.winEXE@2/4@0/2
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PAYMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: System.Core.ni.pdbRSDSD source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Xml.ni.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: PAYMENT.PDB source: PAYMENT.exe, 00000000.00000000.349269451.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp, PAYMENT.exe, 00000000.00000002.367465136.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: Accessibility.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.ni.pdbRSDS source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Configuration.ni.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: mscorlib.ni.pdbRSDS source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Configuration.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Xml.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Core.ni.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Windows.Forms.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Configuration.pdbMZ@ source: WER76CA.tmp.dmp.14.dr
Source: Binary string: mscorlib.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Drawing.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: mscorlib.ni.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Drawing.pdbx source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.pdb3 source: WER76CA.tmp.dmp.14.dr
Source: Binary string: C:\Users\user\Desktop\PAYMENT.PDB source: PAYMENT.exe, 00000000.00000000.349269451.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp, PAYMENT.exe, 00000000.00000002.367465136.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.Core.pdb source: WER76CA.tmp.dmp.14.dr
Source: Binary string: j,C:\Windows\System.pdb source: PAYMENT.exe, 00000000.00000000.349269451.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp, PAYMENT.exe, 00000000.00000002.367465136.0000000000CF7000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER76CA.tmp.dmp.14.dr
Source: Binary string: System.ni.pdb source: WER76CA.tmp.dmp.14.dr

Data Obfuscation

barindex
.NET source code contains potential unpacker
Source: PAYMENT.exe, Pybwiv/Form1.cs.Net Code: gbtn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.PAYMENT.exe.8f0000.0.unpack, Pybwiv/Form1.cs.Net Code: gbtn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.PAYMENT.exe.8f0000.2.unpack, Pybwiv/Form1.cs.Net Code: gbtn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.PAYMENT.exe.8f0000.0.unpack, Pybwiv/Form1.cs.Net Code: gbtn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.PAYMENT.exe.8f0000.1.unpack, Pybwiv/Form1.cs.Net Code: gbtn System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Users\user\Desktop\PAYMENT.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\PAYMENT.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Software Packing		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Process Injection		NTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PAYMENT.exe21%VirustotalBrowse
PAYMENT.exe17%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://185.222.58.237/Bjlzvqo_Ulimyrho.jpgNaN%VirustotalBrowse
http://185.222.58.237/Bjlzvqo_Ulimyrho.jpg0%Avira URL Cloudsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://185.222.58.237/Bjlzvqo_Ulimyrho.jpg;Bgzdedgvpv.Dhhsgjqzaeylvzlfho/Yhqysblupdqavjokvsliuor7Pyb0%Avira URL Cloudsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://185.222.58.2372%VirustotalBrowse
http://185.222.58.2370%Avira URL Cloudsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://185.222.58.23740%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.fontbureau.comPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.com/designersGPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bThePAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.fontbureau.com/designers?PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://185.222.58.237/Bjlzvqo_Ulimyrho.jpgPAYMENT.exe, PAYMENT.exe, 00000000.00000002.367849517.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
            • NaN%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://www.tiro.comPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.goodfont.co.krPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://185.222.58.237/Bjlzvqo_Ulimyrho.jpg;Bgzdedgvpv.Dhhsgjqzaeylvzlfho/Yhqysblupdqavjokvsliuor7PybPAYMENT.exefalse
              • Avira URL Cloud: safe
              		unknown
              http://www.carterandcone.comlPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.sajatypeworks.comPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.typography.netDPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers/cabarga.htmlNPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.founder.com.cn/cn/cThePAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.galapagosdesign.com/staff/dennis.htmPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://fontfabrik.comPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.founder.com.cn/cnPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/frere-jones.htmlPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://185.222.58.237PAYMENT.exe, 00000000.00000002.367849517.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 2%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/DPleasePAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers8PAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fonts.comPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.sandoll.co.krPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deDPleasePAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePAYMENT.exe, 00000000.00000002.367849517.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sakkal.comPAYMENT.exe, 00000000.00000002.369459824.0000000006CE2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://185.222.58.2374PAYMENT.exe, 00000000.00000002.368269484.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.222.58.237
                        		unknownNetherlands
                        		51447ROOTLAYERNETNLfalse

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:630594
                        Start date and time: 20/05/202200:07:082022-05-20 00:07:08 +02:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 6m 49s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:PAYMENT.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:30
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal60.evad.winEXE@2/4@0/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 0.1% (good quality ratio 0%)
                        • Quality average: 25%
                        • Quality standard deviation: 43.3%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 13
                        • Number of non-executed functions: 3
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Adjust boot time
                        • Enable AMSI

                        Warnings

                        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 20.189.173.22
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        00:09:07API Interceptor1x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        ROOTLAYERNETNLPayment.exeGet hashmaliciousBrowse
                        • 45.137.22.122
                        Quotation.xlsxGet hashmaliciousBrowse
                        • 185.222.58.51
                        Order Package.xlsxGet hashmaliciousBrowse
                        • 185.222.58.244
                        ORDER SV-033764.exeGet hashmaliciousBrowse
                        • 185.222.57.155
                        ORDER_SV-033764.exeGet hashmaliciousBrowse
                        • 185.222.57.155
                        ORDER SV-033764.exeGet hashmaliciousBrowse
                        • 185.222.57.155
                        ORDER SV-033764.exeGet hashmaliciousBrowse
                        • 185.222.57.155
                        Hzb1l180P6.exeGet hashmaliciousBrowse
                        • 45.137.22.227
                        bankreportt.exeGet hashmaliciousBrowse
                        • 185.222.57.252
                        SecuriteInfo.com.W32.AIDetectNet.01.11996.exeGet hashmaliciousBrowse
                        • 185.222.57.252
                        SecuriteInfo.com.W32.AIDetectNet.01.20266.exeGet hashmaliciousBrowse
                        • 185.222.57.252
                        aaaaaaaa.docxGet hashmaliciousBrowse
                        • 185.222.58.48
                        SecuriteInfo.com.Variant.Strictor.270970.28606.exeGet hashmaliciousBrowse
                        • 185.222.57.199
                        INV_TMB-CI2006-003.xlsxGet hashmaliciousBrowse
                        • 185.222.58.48
                        Swift Copy.exeGet hashmaliciousBrowse
                        • 45.137.22.122
                        85nECQIP87.exeGet hashmaliciousBrowse
                        • 45.137.22.41
                        SWIFT.xlsxGet hashmaliciousBrowse
                        • 185.222.58.48
                        Controllo saldo 30% Ordine 5667.exeGet hashmaliciousBrowse
                        • 45.137.22.163
                        SecuriteInfo.com.Trojan.DownloaderNET.369.29244.exeGet hashmaliciousBrowse
                        • 185.222.57.199
                        SecuriteInfo.com.Variant.Strictor.271095.20507.exeGet hashmaliciousBrowse
                        • 185.222.57.182

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_PAYMENT.exe_467da930e39c8f391e1ef6fae018d7bcaf35af7_3b13dbe5_1801863b\Report.wer

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):1.1277695744898428
                        Encrypted:false
                        SSDEEP:192:QeKidGuKoHBUZMXyaKeCiAKmNcE/u7sWS274ItD:d/NNBUZMXyawcE/u7sWX4ItD
                        MD5:0258D73126FAFE7DA7FEDB59FA0331A5
                        SHA1:ABB340675BD1D4130708658CF9AB0488C0DD1845
                        SHA-256:6E3C5B658C33D04FDD5489379EBFF1F53C582FF5625E502A6AD17BEABBBFF1BD
                        SHA-512:800B78D14E0E9AC46745E7ECF6E4DBFC33577DA07DB2F315FF20D4E4A9F8FB9C9962536CDDE6A347F3F15E0AB13E734CEC1BFE3BA17AAD1379B3567F0B76B095
                        Malicious:true
                        Reputation:low
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.5.0.4.1.4.3.0.7.7.1.5.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.5.0.4.1.4.5.5.7.7.1.5.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.e.d.9.3.a.0.-.d.d.6.1.-.4.9.b.0.-.a.a.1.5.-.c.c.9.5.b.5.c.1.5.4.6.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.3.e.1.c.d.a.-.6.3.9.2.-.4.a.0.7.-.9.e.9.7.-.0.e.f.c.5.0.7.9.e.9.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.A.Y.M.E.N.T...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.j.l.z.v.q.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.f.c.-.0.0.0.1.-.0.0.1.d.-.8.a.2.2.-.0.e.5.b.1.8.6.c.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.4.6.8.7.4.f.3.f.3.c.f.7.e.d.d.e.8.3.3.1.5.4.6.7.0.1.4.a.9.9.5.0.0.0.0.0.0.0.0.!.0.0.0.0.0.c.6.7.8.d.8.0.5.1.3.3.f.e.6.d.3.7.8.a.e.3.9.4.9.8.3.c.e.7.6.f.0.9.f.3.b.8.5.c.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER76CA.tmp.dmp

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:Mini DuMP crash report, 15 streams, Fri May 20 07:09:03 2022, 0x1205a4 type
                        Category:dropped
                        Size (bytes):291911
                        Entropy (8bit):3.991913462698541
                        Encrypted:false
                        SSDEEP:3072:71wqwCBUCgUK3Q9gIOgF5ln+wac4m+RoSLl0koFjd+pNDKK0Vk4:JwwBTjKA9RpDlnBumojx0RapNDF4J
                        MD5:5047CD56CFB46DC5B0A4D3D10F37EA62
                        SHA1:50BC21D6E4871B3C4C2DB6B53BFA11C6CF910F6D
                        SHA-256:4CA40CC8B10AF3EB260CD9D1E1533D2DC7F2ED77718CABCA4CE82F874F26CDDA
                        SHA-512:BFDB074A89995B1223E5B7683623BCE9853367121A11F75EB3C27342AB00746838421C67CA3497881C0F6FA62685E513B01BE70EEEDB89D281D088489DF0EDCE
                        Malicious:false
                        Reputation:low
                        Preview:MDMP....... ........>.b............t.......................T... $.......+...U..........`.......8...........T...........0:...:..........t$..........`&...................................................................U...........B.......&......GenuineIntelW...........T...........W>.b.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER7BDB.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8386
                        Entropy (8bit):3.69670586775236
                        Encrypted:false
                        SSDEEP:192:Rrl7r3GLNiRa6yiK6YWnSU6x/RgmfZXvnSErCprt89bdksfd/m:RrlsNic6K6YGSU6x/RgmfZvnSEpdXfI
                        MD5:267937B60CB77E1F5E4ACC0188E0251A
                        SHA1:7F73DFDF6053B09B34E4660522F8BD444093271B
                        SHA-256:95CE8C3E0890D7B5C4C6A35EE4110D65F27A827BDD260179DC6AF7269CD9539C
                        SHA-512:0CB12F37B342F6B9EEF2153DF30ABEB38C8091DDCB87177EB65E7CAB8D4147AA96FD2253C30DA9F7980B0B9C92AFE7F9D70CBCD75AFCE0BD993F3EBD64C51380
                        Malicious:false
                        Reputation:low
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.9.6.<./.P.i.d.>.......

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D05.tmp.xml

                        Download File
                        Process:C:\Windows\SysWOW64\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4727
                        Entropy (8bit):4.47679567957431
                        Encrypted:false
                        SSDEEP:48:cvIwSD8zsXJgtWI9PXWgc8sqYj78fm8M4JwyyTFtH+q8vdytZ8jetd:uITf5MmgrsqYUJwyEHKdIWetd
                        MD5:6E75E6119F90654EF472A10DD10FC182
                        SHA1:A4F53D66CF2ECC3E9FD72927C71F4A1EE98BD8DD
                        SHA-256:A3DF1F37588D1049A4CB83603AB46628CDA23456DF1E27934B02DB9E780FFB9C
                        SHA-512:27727713B765D774A4FDA39EB873D50F0E669A09EC3F237C0E1D5D77C968855586EEBD34C74B1FF0FDADEDE2DBCFA7AEF94221FFC2FF15C842B42459277FD101
                        Malicious:false
                        Reputation:low
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1523059" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):3.6949440444402053
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:PAYMENT.exe
                        File size:24064
                        MD5:a9689bd1bb2b039f942c9c8bbd15e971
                        SHA1:0c678d805133fe6d378ae394983ce76f09f3b85c
                        SHA256:6671b97510130afebab128394a4ffb92ac0bba46012f87e736dc1d402254a1ad
                        SHA512:b32d95b79e630c2d75ca5a36f3b2d554c35250d4663aace18305400fe4454f4704c2b2dcfa4564f3111f8593b58f4cf5e277eee456f8387558e0607bf748a222
                        SSDEEP:384:m1t4gouPF7JOMv4IDZGKINlVNPrtpYGbX:mzzjL444jr
                        TLSH:58B2B822A35AC126D97507B8DC63E7F48264DE718871DA1B24DD3C5FBE33BC24D62262
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0......F.......5... ........@.. ....................................@................................

                        File Icon

                        Icon Hash:003944ccea621500

                        Static PE Info

                        General

                        Entrypoint:0x4035be
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x6286A20D [Thu May 19 20:01:17 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x356c0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x4400.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x15c40x1600False0.581498579545data5.56276281777IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x40000x44000x4400False0.171989889706data2.65538018979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xa0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_ICON0x41400x468GLS_BINARY_LSB_FIRST
                        RT_ICON0x45b80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295
                        RT_ICON0x56700x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4294967295, next used block 4294967295
                        RT_GROUP_ICON0x7c280x30data
                        RT_VERSION0x7c680x3b0data
                        RT_MANIFEST0x80280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright 2022 Google LLC. All rights reserved.
                        Assembly Version101.0.4951.67
                        InternalNameBjlzvqo.exe
                        FileVersion101.0.4951.67
                        CompanyNameGoogle LLC
                        LegalTrademarks
                        CommentsGoogle Chrome
                        ProductNameGoogle Chrome
                        ProductVersion101.0.4951.67
                        FileDescriptionGoogle Chrome
                        OriginalFilenameBjlzvqo.exe

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        May 20, 2022 00:08:34.643121958 CEST4974080192.168.2.3185.222.58.237
                        May 20, 2022 00:08:37.662064075 CEST4974080192.168.2.3185.222.58.237
                        May 20, 2022 00:08:43.662658930 CEST4974080192.168.2.3185.222.58.237

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:00:08:07
                        Start date:20/05/2022
                        Path:C:\Users\user\Desktop\PAYMENT.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\PAYMENT.exe"
                        Imagebase:0x8f0000
                        File size:24064 bytes
                        MD5 hash:A9689BD1BB2B039F942C9C8BBD15E971
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:low

                        General

                        Target ID:14
                        Start time:00:09:01
                        Start date:20/05/2022
                        Path:C:\Windows\SysWOW64\WerFault.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6396 -s 1504
                        Imagebase:0x1030000
                        File size:434592 bytes
                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:high

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:10.7%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:86
                          Total number of Limit Nodes:6
                          execution_graph 12980 119f2f8 12981 119f2fd CreateWindowExW 12980->12981 12983 119f41c 12981->12983 12983->12983 13024 1194068 13025 1194089 13024->13025 13028 1193a24 13025->13028 13027 11940ed 13029 1193a2f 13028->13029 13032 1193b48 13029->13032 13031 11941c2 13031->13027 13033 1193b53 13032->13033 13036 1193b78 13033->13036 13035 11942d1 13035->13031 13038 1193b83 13036->13038 13037 119649c 13037->13035 13038->13037 13040 119aaf8 13038->13040 13041 119ab06 13040->13041 13042 119aa9d 13040->13042 13043 119ab4d 13041->13043 13046 119acb8 13041->13046 13050 119aca7 13041->13050 13042->13037 13043->13037 13047 119acc5 13046->13047 13048 119acff 13047->13048 13054 119980c 13047->13054 13048->13043 13051 119acc5 13050->13051 13052 119acff 13051->13052 13053 119980c 2 API calls 13051->13053 13052->13043 13053->13052 13055 1199817 13054->13055 13057 119b9f8 13055->13057 13058 119b01c 13055->13058 13057->13057 13059 119b027 13058->13059 13060 1193b78 2 API calls 13059->13060 13061 119ba67 13060->13061 13065 119d7f0 13061->13065 13071 119d7d8 13061->13071 13062 119baa0 13062->13057 13067 119d821 13065->13067 13068 119d86e 13065->13068 13066 119d82d 13066->13062 13067->13066 13077 119db29 13067->13077 13080 119db38 13067->13080 13068->13062 13073 119d86e 13071->13073 13074 119d821 13071->13074 13072 119d82d 13072->13062 13073->13062 13074->13072 13075 119db29 2 API calls 13074->13075 13076 119db38 2 API calls 13074->13076 13075->13073 13076->13073 13078 1198ae8 2 API calls 13077->13078 13079 119db41 13077->13079 13078->13079 13079->13068 13081 1198ae8 2 API calls 13080->13081 13082 119db41 13081->13082 13082->13068 12984 119add0 GetCurrentProcess 12985 119ae4a GetCurrentThread 12984->12985 12986 119ae43 12984->12986 12987 119ae80 12985->12987 12988 119ae87 GetCurrentProcess 12985->12988 12986->12985 12987->12988 12991 119aebd 12988->12991 12989 119aee5 GetCurrentThreadId 12990 119af16 12989->12990 12991->12989 12992 11989f0 12996 1198ad8 12992->12996 13004 1198ae8 12992->13004 12993 11989ff 12997 1198afb 12996->12997 12998 1198b13 12997->12998 13012 1198d61 12997->13012 13016 1198d70 12997->13016 12998->12993 12999 1198b0b 12999->12998 13000 1198d10 GetModuleHandleW 12999->13000 13001 1198d3d 13000->13001 13001->12993 13005 1198afb 13004->13005 13006 1198b13 13005->13006 13010 1198d61 LoadLibraryExW 13005->13010 13011 1198d70 LoadLibraryExW 13005->13011 13006->12993 13007 1198b0b 13007->13006 13008 1198d10 GetModuleHandleW 13007->13008 13009 1198d3d 13008->13009 13009->12993 13010->13007 13011->13007 13013 1198d84 13012->13013 13014 1198da9 13013->13014 13020 1197e88 13013->13020 13014->12999 13018 1198d84 13016->13018 13017 1198da9 13017->12999 13018->13017 13019 1197e88 LoadLibraryExW 13018->13019 13019->13017 13021 1198f50 LoadLibraryExW 13020->13021 13023 1198fc9 13021->13023 13023->13014 13083 119b400 DuplicateHandle 13084 119b496 13083->13084

                          Executed Functions

                          Function 0119D16C Relevance: .2, Instructions: 233COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1d6a9948f996ad9547a82a9d06ce63c12e8f5be80c87e67ac19d4ab3492e4795
                          • Instruction ID: 6f012d838fc896a7e5dd377ece68732b4c398cf857393431164f14905cea6f36
                          • Opcode Fuzzy Hash: 1d6a9948f996ad9547a82a9d06ce63c12e8f5be80c87e67ac19d4ab3492e4795
                          • Instruction Fuzzy Hash: A4919035E003199FCB04DFA4D8549DDBBBAFF89304F148615E525AF3A0DB70A98ACB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0119D160 Relevance: .2, Instructions: 199COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f9ed00662a40706f2339fd4efdc9ce63ca322bd4fe7af644b020889cc6b84f81
                          • Instruction ID: fa1d0a55da49288877d652d455c762297aa8eefb8e852871eefab1eb549171d2
                          • Opcode Fuzzy Hash: f9ed00662a40706f2339fd4efdc9ce63ca322bd4fe7af644b020889cc6b84f81
                          • Instruction Fuzzy Hash: FA819F35E003599FCB05DFA4D8449DDBBBAFF89304B148615E515AF3A4EB70A889CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0119F5FA Relevance: .2, Instructions: 194COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 47e96f7b04f8eb8807fd109840399706f127221c6b764a491879af4b05a04e21
                          • Instruction ID: 60ae5e282a073552c39e5ca0f526de8c0a731dd43d7e8924d20c0660aaa968b3
                          • Opcode Fuzzy Hash: 47e96f7b04f8eb8807fd109840399706f127221c6b764a491879af4b05a04e21
                          • Instruction Fuzzy Hash: A4816F35E003199FCB05DFA4D8449DDBBBAFF89304F148615E515AB3A4EB70A98ACB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0119ADC0 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0119AE30
                          • GetCurrentThread.KERNEL32 ref: 0119AE6D
                          • GetCurrentProcess.KERNEL32 ref: 0119AEAA
                          • GetCurrentThreadId.KERNEL32 ref: 0119AF03
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 4ee5d876d62de37e491768510a67be4b98910f51b263cce81c28ea76f8b33b62
                          • Instruction ID: f465f41144054bb5af9e508023711e9ca4c45385be8e3255eb43db896bac6344
                          • Opcode Fuzzy Hash: 4ee5d876d62de37e491768510a67be4b98910f51b263cce81c28ea76f8b33b62
                          • Instruction Fuzzy Hash: 245156B0D002898FDB14CFA9D5887DEBBF1FF49314F208959E419A7750D7745948CB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0119ADD0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 0119AE30
                          • GetCurrentThread.KERNEL32 ref: 0119AE6D
                          • GetCurrentProcess.KERNEL32 ref: 0119AEAA
                          • GetCurrentThreadId.KERNEL32 ref: 0119AF03
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 43ad960980d927f25b5090c154ab0105de282a045c53daf40e816713eeb773f5
                          • Instruction ID: 7136431b6dfb12a19fcd830c43eefcd5451db898e1301101843543c98d7c66d4
                          • Opcode Fuzzy Hash: 43ad960980d927f25b5090c154ab0105de282a045c53daf40e816713eeb773f5
                          • Instruction Fuzzy Hash: D85124B0D002498FDB14CFAAD588BDEBBF1FF48318F208959E419A7750DB746948CB66
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01198AE8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 42 1198ae8-1198af0 43 1198afb-1198afd 42->43 44 1198af6 call 1197e20 42->44 45 1198aff 43->45 46 1198b13-1198b17 43->46 44->43 95 1198b05 call 1198d61 45->95 96 1198b05 call 1198d70 45->96 47 1198b19-1198b23 46->47 48 1198b2b-1198b6c 46->48 47->48 53 1198b79-1198b87 48->53 54 1198b6e-1198b76 48->54 49 1198b0b-1198b0d 49->46 50 1198c48-1198d08 49->50 90 1198d0a-1198d0d 50->90 91 1198d10-1198d3b GetModuleHandleW 50->91 55 1198b89-1198b8e 53->55 56 1198bab-1198bad 53->56 54->53 59 1198b99 55->59 60 1198b90-1198b97 call 1197e2c 55->60 58 1198bb0-1198bb7 56->58 63 1198bb9-1198bc1 58->63 64 1198bc4-1198bcb 58->64 61 1198b9b-1198ba9 59->61 60->61 61->58 63->64 67 1198bd8-1198bda call 1197e3c 64->67 68 1198bcd-1198bd5 64->68 71 1198bdf-1198be1 67->71 68->67 73 1198bee-1198bf3 71->73 74 1198be3-1198beb 71->74 75 1198c11-1198c1e 73->75 76 1198bf5-1198bfc 73->76 74->73 83 1198c41-1198c47 75->83 84 1198c20-1198c3e 75->84 76->75 77 1198bfe-1198c0e call 1197e4c call 1197e5c 76->77 77->75 84->83 90->91 92 1198d3d-1198d43 91->92 93 1198d44-1198d58 91->93 92->93 95->49 96->49
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 01198D2E
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 2639162431f4f61d107ceccd035b50783537b936caa7f9a75b95157c70bd6a7a
                          • Instruction ID: 448eadf17d614858c63921592b165505260ccfa3dcada35cfe7b20a0aa90141c
                          • Opcode Fuzzy Hash: 2639162431f4f61d107ceccd035b50783537b936caa7f9a75b95157c70bd6a7a
                          • Instruction Fuzzy Hash: BD7124B0A00B098FDB28DF2AC45475ABBF1FF89204F04892AD55ADBB50DB34E8458F91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0119F2EC Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 97 119f2ec-119f2f4 98 119f2fd-119f35e 97->98 99 119f2f6-119f2fc 97->99 100 119f369-119f370 98->100 101 119f360-119f366 98->101 99->98 102 119f37b-119f3b3 100->102 103 119f372-119f378 100->103 101->100 104 119f3bb-119f41a CreateWindowExW 102->104 103->102 105 119f41c-119f422 104->105 106 119f423-119f45b 104->106 105->106 110 119f468 106->110 111 119f45d-119f460 106->111 112 119f469 110->112 111->110 112->112
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0119F40A
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 21253bbd383bf5897de8dc34b5abf83264c1d4c01a49a75555a9c25a15d58b49
                          • Instruction ID: ca72764bbed7905aa9e8439773e262bf780621b0591a80187e778baff20b6643
                          • Opcode Fuzzy Hash: 21253bbd383bf5897de8dc34b5abf83264c1d4c01a49a75555a9c25a15d58b49
                          • Instruction Fuzzy Hash: F851CFB1D00259EFDF14CF99C984ADEBFB5BF48314F24812AE818AB210D7749986CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0119F2F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 113 119f2f8-119f35e 115 119f369-119f370 113->115 116 119f360-119f366 113->116 117 119f37b-119f41a CreateWindowExW 115->117 118 119f372-119f378 115->118 116->115 120 119f41c-119f422 117->120 121 119f423-119f45b 117->121 118->117 120->121 125 119f468 121->125 126 119f45d-119f460 121->126 127 119f469 125->127 126->125 127->127
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0119F40A
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 19259d17fe5c6a315c857f7c5bf22936d9763e0ecac0a766b78ca0941b38f19c
                          • Instruction ID: 7d710a5a0cd9e8eca607458f37adb9308be92588e0fa60b5c9fa19a75aa6ed5a
                          • Opcode Fuzzy Hash: 19259d17fe5c6a315c857f7c5bf22936d9763e0ecac0a766b78ca0941b38f19c
                          • Instruction Fuzzy Hash: 6841ADB1D00349AFDF14CF99C884ADEBFB5BF48314F24812AE819AB210D7749986CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0119B3F8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 128 119b3f8-119b494 DuplicateHandle 129 119b49d-119b4ba 128->129 130 119b496-119b49c 128->130 130->129
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0119B487
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 19fbe3f611790f87b6f430760aaeb92803979bfe9a62ebfde639dd0c4960bd2b
                          • Instruction ID: bcbc5db9c5050dd789b1f3177a6b6ccfcf91954652262a6121b6619316a0f21e
                          • Opcode Fuzzy Hash: 19fbe3f611790f87b6f430760aaeb92803979bfe9a62ebfde639dd0c4960bd2b
                          • Instruction Fuzzy Hash: 1D21F2B5D002499FDF10CFA9D884AEEBFF4EB48320F14851AE955B3250C374A945CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0119B400 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 133 119b400-119b494 DuplicateHandle 134 119b49d-119b4ba 133->134 135 119b496-119b49c 133->135 135->134
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0119B487
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 102a3261c69f58b7c5e137a5dfdcb4f8f7557574d045fdf348bc51e3059777ba
                          • Instruction ID: 15bb5106b9d876d353e246976547166e1dc546ba18c8cf23743f0768c405d434
                          • Opcode Fuzzy Hash: 102a3261c69f58b7c5e137a5dfdcb4f8f7557574d045fdf348bc51e3059777ba
                          • Instruction Fuzzy Hash: 5421C2B5900249AFDF10CFAAD984ADEBBF8FB48324F14841AE915B7310D374A944DFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01198F48 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 146 1198f48-1198f90 147 1198f98-1198fc7 LoadLibraryExW 146->147 148 1198f92-1198f95 146->148 149 1198fc9-1198fcf 147->149 150 1198fd0-1198fed 147->150 148->147 149->150
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01198DA9,00000800,00000000,00000000), ref: 01198FBA
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: be3aa1e2e0988b2ddb29b0a530fa7299256454ecb50a39eb6c26f3eff305cd68
                          • Instruction ID: 4ce68ab9c92f13ba2ced249e69f60f6d2b37bb02334660b4b156ce8f1ebdfe38
                          • Opcode Fuzzy Hash: be3aa1e2e0988b2ddb29b0a530fa7299256454ecb50a39eb6c26f3eff305cd68
                          • Instruction Fuzzy Hash: D82136B6D002498FCB10CFA9C484ADEFBF5EB89314F14842ED565B7600C375A545CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01197E88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 138 1197e88-1198f90 140 1198f98-1198fc7 LoadLibraryExW 138->140 141 1198f92-1198f95 138->141 142 1198fc9-1198fcf 140->142 143 1198fd0-1198fed 140->143 141->140 142->143
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01198DA9,00000800,00000000,00000000), ref: 01198FBA
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 40b45fd095a812a88e1a15509a1a451057e2d8b1a0825f385e94f8c571f7f290
                          • Instruction ID: 9bebe831b2104fbfb9ac6fd49acc168b54aa4b95a40ba167acb388c6d9136794
                          • Opcode Fuzzy Hash: 40b45fd095a812a88e1a15509a1a451057e2d8b1a0825f385e94f8c571f7f290
                          • Instruction Fuzzy Hash: 271106B69042498FDB14CF9AC444BDEFBF5EB89310F04842AE625B7600C375A945CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 01198CC8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 153 1198cc8-1198d08 154 1198d0a-1198d0d 153->154 155 1198d10-1198d3b GetModuleHandleW 153->155 154->155 156 1198d3d-1198d43 155->156 157 1198d44-1198d58 155->157 156->157
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 01198D2E
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: efa61b24e9d49d6e082b52bbedfc6bc09ce120ce00da73ae7018e81743201508
                          • Instruction ID: cc81deb47b86d05a7144107791b5f85748c8d3c4f32615fb6903145c1fe3b103
                          • Opcode Fuzzy Hash: efa61b24e9d49d6e082b52bbedfc6bc09ce120ce00da73ae7018e81743201508
                          • Instruction Fuzzy Hash: 9311E0B5D006498FDB14CF9AC444BDEFBF4AF89224F14842AD929B7610D374A545CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 0119DB80 Relevance: .3, Instructions: 315COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2ba55ebf9c6fef000d747660e96136a46808a8ab0a5b594c4f62d64fb9a6faec
                          • Instruction ID: da29b26065dc26c9e70124978170be65dc82eb9bf8fb5f33d27238d2d915ffd5
                          • Opcode Fuzzy Hash: 2ba55ebf9c6fef000d747660e96136a46808a8ab0a5b594c4f62d64fb9a6faec
                          • Instruction Fuzzy Hash: A412B8F14117468AE332CF65E99818D3BB9B7453A8F90C328D2A16FAF9D7B4114ACF44
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0119B2EC Relevance: .3, Instructions: 265COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a0f2b66aa4834bb8105a89ace7f17eb04cdcb5790c15a779e77aabf506d80a0
                          • Instruction ID: ff5847ede7673be123c49844672713f415666e9f42552ae8da92b59c19e67c97
                          • Opcode Fuzzy Hash: 4a0f2b66aa4834bb8105a89ace7f17eb04cdcb5790c15a779e77aabf506d80a0
                          • Instruction Fuzzy Hash: 7BA17C32E0061A8FCF09DFB5D8445DEBBB2FF85304B15816AE915BB225EB35A905CF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0119DB71 Relevance: .2, Instructions: 221COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.367715425.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_1190000_PAYMENT.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 945c40ad7adadc34a3b855383d9d923563a72dc62f9338d8a2b809e4fc0377aa
                          • Instruction ID: 111d4f8337da5dfd6cb12ea015310f2b8b2da69c683a549011c2de298b1e5c2d
                          • Opcode Fuzzy Hash: 945c40ad7adadc34a3b855383d9d923563a72dc62f9338d8a2b809e4fc0377aa
                          • Instruction Fuzzy Hash: 1DC13EB18117468BE721CF65E89818D3BB9FB453A8F50C328D1616F6F8D7B4108ACF44
                          Uniqueness

                          Uniqueness Score: -1.00%