Windows Analysis Report
z2PaymentAdviceD00772795264733.exe

Overview

General Information

Sample name: z2PaymentAdviceD00772795264733.exe
Analysis ID: 1559924
MD5: bb600d9f9b2c015c5dcec1e1a02684bc
SHA1: 8ab327f9aa495f7bc5b2e6101c1152463bedc24a
SHA256: 8dd1167ef29a5c350fd3004da6a685cf48c6c587dac25fc4786f9fd90284b5b1
Tags: exeuser-Porcupine
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Virustotal: Detection: 31% Perma Link
Multi AV Scanner detection for submitted file
Source: z2PaymentAdviceD00772795264733.exe ReversingLabs: Detection: 34%
Source: z2PaymentAdviceD00772795264733.exe Virustotal: Detection: 31% Perma Link
Yara detected FormBook
Source: Yara match File source: 13.2.YDKFDa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.YDKFDa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2169765906.00000000015B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: z2PaymentAdviceD00772795264733.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: z2PaymentAdviceD00772795264733.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: z2PaymentAdviceD00772795264733.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: YDKFDa.exe, 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: YDKFDa.exe, YDKFDa.exe, 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 4x nop then jmp 070BB014h 0_2_070BB7BF
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 4x nop then jmp 06C3A214h 9_2_06C3A9BF
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1737008129.0000000002A1A000.00000004.00000800.00020000.00000000.sdmp, YDKFDa.exe, 00000009.00000002.1972590732.00000000027CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: z2PaymentAdviceD00772795264733.exe, YDKFDa.exe.0.dr String found in binary or memory: http://tempuri.org/ianiDataSet.xsd
Source: z2PaymentAdviceD00772795264733.exe, YDKFDa.exe.0.dr String found in binary or memory: http://tempuri.org/ianiDataSet1.xsd
Source: z2PaymentAdviceD00772795264733.exe, YDKFDa.exe.0.dr String found in binary or memory: http://tempuri.org/ianiDataSet2.xsdM
Source: Amcache.hve.19.dr String found in binary or memory: http://upx.sf.net
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741748118.0000000006B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 13.2.YDKFDa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.YDKFDa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2169765906.00000000015B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: z2PaymentAdviceD00772795264733.exe
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0042C713 NtClose, 13_2_0042C713
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2DF0 NtQuerySystemInformation,LdrInitializeThunk, 13_2_01AF2DF0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2C70 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_01AF2C70
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF35C0 NtCreateMutant,LdrInitializeThunk, 13_2_01AF35C0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF4340 NtSetContextThread, 13_2_01AF4340
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF4650 NtSuspendThread, 13_2_01AF4650
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2BA0 NtEnumerateValueKey, 13_2_01AF2BA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2B80 NtQueryInformationFile, 13_2_01AF2B80
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2BE0 NtQueryValueKey, 13_2_01AF2BE0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2BF0 NtAllocateVirtualMemory, 13_2_01AF2BF0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2B60 NtClose, 13_2_01AF2B60
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2AB0 NtWaitForSingleObject, 13_2_01AF2AB0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2AF0 NtWriteFile, 13_2_01AF2AF0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2AD0 NtReadFile, 13_2_01AF2AD0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2DB0 NtEnumerateKey, 13_2_01AF2DB0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2DD0 NtDelayExecution, 13_2_01AF2DD0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2D30 NtUnmapViewOfSection, 13_2_01AF2D30
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2D00 NtSetInformationFile, 13_2_01AF2D00
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2D10 NtMapViewOfSection, 13_2_01AF2D10
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2CA0 NtQueryInformationToken, 13_2_01AF2CA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2CF0 NtOpenProcess, 13_2_01AF2CF0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2CC0 NtQueryVirtualMemory, 13_2_01AF2CC0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2C00 NtQueryInformationProcess, 13_2_01AF2C00
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2C60 NtCreateKey, 13_2_01AF2C60
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2FA0 NtQuerySection, 13_2_01AF2FA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2FB0 NtResumeThread, 13_2_01AF2FB0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2F90 NtProtectVirtualMemory, 13_2_01AF2F90
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2FE0 NtCreateFile, 13_2_01AF2FE0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2F30 NtCreateSection, 13_2_01AF2F30
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2F60 NtCreateProcessEx, 13_2_01AF2F60
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2EA0 NtAdjustPrivilegesToken, 13_2_01AF2EA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2E80 NtReadVirtualMemory, 13_2_01AF2E80
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2EE0 NtQueueApcThread, 13_2_01AF2EE0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF2E30 NtWriteVirtualMemory, 13_2_01AF2E30
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF3090 NtSetValueKey, 13_2_01AF3090
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF3010 NtOpenDirectoryObject, 13_2_01AF3010
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF39B0 NtGetContextThread, 13_2_01AF39B0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF3D10 NtOpenProcessToken, 13_2_01AF3D10
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF3D70 NtOpenThread, 13_2_01AF3D70
Detected potential crypto function
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_00FAD51C 0_2_00FAD51C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070BAE40 0_2_070BAE40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070BCC50 0_2_070BCC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070B57CF 0_2_070B57CF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070B57E0 0_2_070B57E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070B7400 0_2_070B7400
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070B53A8 0_2_070B53A8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070B4F60 0_2_070B4F60
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070B4F70 0_2_070B4F70
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070BAE30 0_2_070BAE30
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070B4B28 0_2_070B4B28
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070B4B38 0_2_070B4B38
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070BAE40 0_2_070BAE40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310100 8_2_01310100
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01366000 8_2_01366000
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013A02C0 8_2_013A02C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320535 8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01344750 8_2_01344750
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131C7C0 8_2_0131C7C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133C6E0 8_2_0133C6E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01336962 8_2_01336962
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132A840 8_2_0132A840
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01322840 8_2_01322840
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013068B8 8_2_013068B8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01358890 8_2_01358890
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E8F0 8_2_0134E8F0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EA80 8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132AD00 8_2_0132AD00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132ED7A 8_2_0132ED7A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01338DBF 8_2_01338DBF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131ADE0 8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01328DC0 8_2_01328DC0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320C00 8_2_01320C00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310CF2 8_2_01310CF2
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01340F30 8_2_01340F30
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01362F28 8_2_01362F28
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01394F40 8_2_01394F40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139EFA0 8_2_0139EFA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01312FC8 8_2_01312FC8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320E59 8_2_01320E59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01332E90 8_2_01332E90
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130F172 8_2_0130F172
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0135516C 8_2_0135516C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132B1B0 8_2_0132B1B0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130D34C 8_2_0130D34C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013233F3 8_2_013233F3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013252A0 8_2_013252A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133D2F0 8_2_0133D2F0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133B2C0 8_2_0133B2C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01311460 8_2_01311460
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01323497 8_2_01323497
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013674E0 8_2_013674E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132B730 8_2_0132B730
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01329950 8_2_01329950
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133B950 8_2_0133B950
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01325990 8_2_01325990
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138D800 8_2_0138D800
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013238E0 8_2_013238E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133FB80 8_2_0133FB80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01395BF0 8_2_01395BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0135DBF9 8_2_0135DBF9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01393A6C 8_2_01393A6C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01323D40 8_2_01323D40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133FDC0 8_2_0133FDC0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01399C32 8_2_01399C32
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01339C20 8_2_01339C20
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01321F92 8_2_01321F92
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01329EB0 8_2_01329EB0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0042ED23 8_2_0042ED23
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_00CAD51C 9_2_00CAD51C
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_04CF6BE0 9_2_04CF6BE0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_04CF0040 9_2_04CF0040
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_04CF0007 9_2_04CF0007
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_04CF6BD8 9_2_04CF6BD8
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_04CF6BD1 9_2_04CF6BD1
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_052B5EE8 9_2_052B5EE8
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_052BC520 9_2_052BC520
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_052B5020 9_2_052B5020
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C3BE50 9_2_06C3BE50
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C3A040 9_2_06C3A040
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C357D9 9_2_06C357D9
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C357E0 9_2_06C357E0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C34F69 9_2_06C34F69
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C34F70 9_2_06C34F70
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C3A040 9_2_06C3A040
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C37400 9_2_06C37400
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C353A8 9_2_06C353A8
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C34B28 9_2_06C34B28
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C34B38 9_2_06C34B38
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C3A03E 9_2_06C3A03E
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_00403040 13_2_00403040
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0041694E 13_2_0041694E
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_00416953 13_2_00416953
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0040E153 13_2_0040E153
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_00410173 13_2_00410173
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_00401210 13_2_00401210
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0040E297 13_2_0040E297
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0040E2A3 13_2_0040E2A3
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_00402440 13_2_00402440
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0040243B 13_2_0040243B
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0042ED23 13_2_0042ED23
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0040FF53 13_2_0040FF53
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_004027A0 13_2_004027A0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B801AA 13_2_01B801AA
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B741A2 13_2_01B741A2
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B781CC 13_2_01B781CC
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AB0100 13_2_01AB0100
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B5A118 13_2_01B5A118
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B48158 13_2_01B48158
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B52000 13_2_01B52000
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ACE3F0 13_2_01ACE3F0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B803E6 13_2_01B803E6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7A352 13_2_01B7A352
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B402C0 13_2_01B402C0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B60274 13_2_01B60274
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B80591 13_2_01B80591
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC0535 13_2_01AC0535
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B6E4F6 13_2_01B6E4F6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B64420 13_2_01B64420
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B72446 13_2_01B72446
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ABC7C0 13_2_01ABC7C0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC0770 13_2_01AC0770
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AE4750 13_2_01AE4750
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ADC6E0 13_2_01ADC6E0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC29A0 13_2_01AC29A0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B8A9A6 13_2_01B8A9A6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AD6962 13_2_01AD6962
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AA68B8 13_2_01AA68B8
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AEE8F0 13_2_01AEE8F0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ACA840 13_2_01ACA840
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC2840 13_2_01AC2840
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B76BD7 13_2_01B76BD7
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7AB40 13_2_01B7AB40
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ABEA80 13_2_01ABEA80
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AD8DBF 13_2_01AD8DBF
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ABADE0 13_2_01ABADE0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B5CD1F 13_2_01B5CD1F
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ACAD00 13_2_01ACAD00
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B60CB5 13_2_01B60CB5
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AB0CF2 13_2_01AB0CF2
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC0C00 13_2_01AC0C00
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B3EFA0 13_2_01B3EFA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AB2FC8 13_2_01AB2FC8
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B62F30 13_2_01B62F30
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B02F28 13_2_01B02F28
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AE0F30 13_2_01AE0F30
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B34F40 13_2_01B34F40
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7CE93 13_2_01B7CE93
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AD2E90 13_2_01AD2E90
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7EEDB 13_2_01B7EEDB
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7EE26 13_2_01B7EE26
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC0E59 13_2_01AC0E59
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ACB1B0 13_2_01ACB1B0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AF516C 13_2_01AF516C
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B8B16B 13_2_01B8B16B
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AAF172 13_2_01AAF172
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7F0E0 13_2_01B7F0E0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B770E9 13_2_01B770E9
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC70C0 13_2_01AC70C0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B6F0CC 13_2_01B6F0CC
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B0739A 13_2_01B0739A
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7132D 13_2_01B7132D
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AAD34C 13_2_01AAD34C
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC52A0 13_2_01AC52A0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B612ED 13_2_01B612ED
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ADB2C0 13_2_01ADB2C0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B5D5B0 13_2_01B5D5B0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B895C3 13_2_01B895C3
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B77571 13_2_01B77571
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7F43F 13_2_01B7F43F
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AB1460 13_2_01AB1460
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7F7B0 13_2_01B7F7B0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B716CC 13_2_01B716CC
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B05630 13_2_01B05630
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B55910 13_2_01B55910
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC9950 13_2_01AC9950
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ADB950 13_2_01ADB950
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC38E0 13_2_01AC38E0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B2D800 13_2_01B2D800
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ADFB80 13_2_01ADFB80
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B35BF0 13_2_01B35BF0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AFDBF9 13_2_01AFDBF9
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7FB76 13_2_01B7FB76
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B05AA0 13_2_01B05AA0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B61AA3 13_2_01B61AA3
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B5DAAC 13_2_01B5DAAC
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B6DAC6 13_2_01B6DAC6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B33A6C 13_2_01B33A6C
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B77A46 13_2_01B77A46
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7FA49 13_2_01B7FA49
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01ADFDC0 13_2_01ADFDC0
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B77D73 13_2_01B77D73
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC3D40 13_2_01AC3D40
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B71D5A 13_2_01B71D5A
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7FCF2 13_2_01B7FCF2
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B39C32 13_2_01B39C32
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7FFB1 13_2_01B7FFB1
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC1F92 13_2_01AC1F92
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01A83FD2 13_2_01A83FD2
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01A83FD5 13_2_01A83FD5
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01B7FF09 13_2_01B7FF09
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AC9EB0 13_2_01AC9EB0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: String function: 01AAB970 appears 265 times
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: String function: 01B3F290 appears 105 times
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: String function: 01B07E54 appears 108 times
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: String function: 01B2EA12 appears 86 times
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: String function: 01AF5130 appears 58 times
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: String function: 01367E54 appears 96 times
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: String function: 0138EA12 appears 36 times
One or more processes crash
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 196
Sample file is different than original file name gathered from version info
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1741267977.00000000053A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs z2PaymentAdviceD00772795264733.exe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1737448738.0000000003C69000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs z2PaymentAdviceD00772795264733.exe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1743663404.0000000007400000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs z2PaymentAdviceD00772795264733.exe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1733845497.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs z2PaymentAdviceD00772795264733.exe
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRutq.exe4 vs z2PaymentAdviceD00772795264733.exe
Source: z2PaymentAdviceD00772795264733.exe Binary or memory string: OriginalFilenameRutq.exe4 vs z2PaymentAdviceD00772795264733.exe
Uses 32bit PE files
Source: z2PaymentAdviceD00772795264733.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: z2PaymentAdviceD00772795264733.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YDKFDa.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, M1NWG9BiiFVBaNvJyI.cs Security API names: _0020.SetAccessControl
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, M1NWG9BiiFVBaNvJyI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, M1NWG9BiiFVBaNvJyI.cs Security API names: _0020.AddAccessRule
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, M1NWG9BiiFVBaNvJyI.cs Security API names: _0020.SetAccessControl
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, M1NWG9BiiFVBaNvJyI.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, M1NWG9BiiFVBaNvJyI.cs Security API names: _0020.AddAccessRule
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, KclBcqQh9EO5xB8FFV.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, KclBcqQh9EO5xB8FFV.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@20/20@0/0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe File created: C:\Users\user\AppData\Roaming\YDKFDa.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Mutant created: \Sessions\1\BaseNamedObjects\ZAgVEtzlouGRfEVeNhaUyLVh
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8088:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7736
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe File created: C:\Users\user\AppData\Local\Temp\tmpB018.tmp Jump to behavior
Source: z2PaymentAdviceD00772795264733.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: z2PaymentAdviceD00772795264733.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr Binary or memory string: INSERT INTO [dbo].[CREDIT_PLAN] ([CREDIT_ID], [MATURITY_DATE], [MATURITY_SUM], [MATURITY_NOTE], [MODIF_DATE]) VALUES (@CREDIT_ID, @MATURITY_DATE, @MATURITY_SUM, @MATURITY_NOTE, @MODIF_DATE);
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE], [INTEREST]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE, @INTEREST);
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr Binary or memory string: UPDATE [dbo].[Login] SET [User_id] = @User_id, [User_pass] = @User_pass WHERE (([User_id] = @Original_User_id) AND ([User_pass] = @Original_User_pass));
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr Binary or memory string: UPDATE [dbo].[CREDIT_PLAN] SET [CREDIT_ID] = @CREDIT_ID, [MATURITY_DATE] = @MATURITY_DATE, [MATURITY_SUM] = @MATURITY_SUM, [MATURITY_NOTE] = @MATURITY_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([MATURITY_ID] = @Original_MATURITY_ID) AND ((@IsNull_CREDIT_ID = 1 AND [CREDIT_ID] IS NULL) OR ([CREDIT_ID] = @Original_CREDIT_ID)) AND ([MATURITY_DATE] = @Original_MATURITY_DATE) AND ([MATURITY_SUM] = @Original_MATURITY_SUM) AND ((@IsNull_MATURITY_NOTE = 1 AND [MATURITY_NOTE] IS NULL) OR ([MATURITY_NOTE] = @Original_MATURITY_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr Binary or memory string: INSERT INTO [dbo].[PROD_PERIODS] ([PROD_CODE], [PROD_PERIOD]) VALUES (@PROD_CODE, @PROD_PERIOD);
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr Binary or memory string: UPDATE [dbo].[INTEREST] SET [PROD_CODE] = @PROD_CODE, [PROD_PERIOD] = @PROD_PERIOD, [SUM_FROM] = @SUM_FROM, [SUM_TO] = @SUM_TO WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_PERIOD] = @Original_PROD_PERIOD) AND ([SUM_FROM] = @Original_SUM_FROM) AND ([SUM_TO] = @Original_SUM_TO));
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr Binary or memory string: UPDATE [dbo].[CREDIT] SET [CREDIT_NO] = @CREDIT_NO, [CREDIT_DATE] = @CREDIT_DATE, [CREDIT_PERIOD] = @CREDIT_PERIOD, [CREDIT_END_DATE] = @CREDIT_END_DATE, [CREDIT_BEGIN_DATE] = @CREDIT_BEGIN_DATE, [CLIENT_ID] = @CLIENT_ID, [PROD_CODE] = @PROD_CODE, [CREDIT_SUM] = @CREDIT_SUM, [CREDIT_NOTE] = @CREDIT_NOTE, [MODIF_DATE] = @MODIF_DATE WHERE (([CREDIT_ID] = @Original_CREDIT_ID) AND ([CREDIT_NO] = @Original_CREDIT_NO) AND ((@IsNull_CREDIT_DATE = 1 AND [CREDIT_DATE] IS NULL) OR ([CREDIT_DATE] = @Original_CREDIT_DATE)) AND ([CREDIT_PERIOD] = @Original_CREDIT_PERIOD) AND ((@IsNull_CREDIT_END_DATE = 1 AND [CREDIT_END_DATE] IS NULL) OR ([CREDIT_END_DATE] = @Original_CREDIT_END_DATE)) AND ((@IsNull_CREDIT_BEGIN_DATE = 1 AND [CREDIT_BEGIN_DATE] IS NULL) OR ([CREDIT_BEGIN_DATE] = @Original_CREDIT_BEGIN_DATE)) AND ([CLIENT_ID] = @Original_CLIENT_ID) AND ((@IsNull_PROD_CODE = 1 AND [PROD_CODE] IS NULL) OR ([PROD_CODE] = @Original_PROD_CODE)) AND ([CREDIT_SUM] = @Original_CREDIT_SUM) AND ((@IsNull_CREDIT_NOTE = 1 AND [CREDIT_NOTE] IS NULL) OR ([CREDIT_NOTE] = @Original_CREDIT_NOTE)) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr Binary or memory string: UPDATE [dbo].[CREDIT_PRODUCT] SET [PROD_NAME] = @PROD_NAME, [PROD_ACTIVE] = @PROD_ACTIVE, [PROD_SUM_FROM] = @PROD_SUM_FROM, [PROD_SUM_TO] = @PROD_SUM_TO, [MODIF_DATE] = @MODIF_DATE WHERE (([PROD_CODE] = @Original_PROD_CODE) AND ([PROD_NAME] = @Original_PROD_NAME) AND ([PROD_ACTIVE] = @Original_PROD_ACTIVE) AND ([PROD_SUM_FROM] = @Original_PROD_SUM_FROM) AND ([PROD_SUM_TO] = @Original_PROD_SUM_TO) AND ((@IsNull_MODIF_DATE = 1 AND [MODIF_DATE] IS NULL) OR ([MODIF_DATE] = @Original_MODIF_DATE)));
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000000.1670478123.00000000004E2000.00000002.00000001.01000000.00000003.sdmp, YDKFDa.exe.0.dr Binary or memory string: INSERT INTO [dbo].[CREDIT_PRODUCT] ([PROD_NAME], [PROD_ACTIVE], [PROD_SUM_FROM], [PROD_SUM_TO], [MODIF_DATE]) VALUES (@PROD_NAME, @PROD_ACTIVE, @PROD_SUM_FROM, @PROD_SUM_TO, @MODIF_DATE);
Source: z2PaymentAdviceD00772795264733.exe ReversingLabs: Detection: 34%
Source: z2PaymentAdviceD00772795264733.exe Virustotal: Detection: 31%
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe File read: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\YDKFDa.exe C:\Users\user\AppData\Roaming\YDKFDa.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process created: C:\Users\user\AppData\Roaming\YDKFDa.exe "C:\Users\user\AppData\Roaming\YDKFDa.exe"
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7736 -s 196
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe" Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe" Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp" Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process created: C:\Users\user\AppData\Roaming\YDKFDa.exe "C:\Users\user\AppData\Roaming\YDKFDa.exe" Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: z2PaymentAdviceD00772795264733.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: z2PaymentAdviceD00772795264733.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: YDKFDa.exe, 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: YDKFDa.exe, YDKFDa.exe, 0000000D.00000002.2170403542.0000000001A80000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: z2PaymentAdviceD00772795264733.exe, InnerForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: YDKFDa.exe.0.dr, InnerForm.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, M1NWG9BiiFVBaNvJyI.cs .Net Code: na20fbkxvCbswZsQi8E System.Reflection.Assembly.Load(byte[])
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, M1NWG9BiiFVBaNvJyI.cs .Net Code: na20fbkxvCbswZsQi8E System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_00FADB84 pushfd ; ret 0_2_00FADB89
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 0_2_070B7210 push eax; ret 0_2_070B7211
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0135C54D pushfd ; ret 8_2_0135C54E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0135C54F push 8B012E67h; ret 8_2_0135C554
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013109AD push ecx; mov dword ptr [esp], ecx 8_2_013109B6
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0135C9D7 push edi; ret 8_2_0135C9D9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_012E1368 push eax; iretd 8_2_012E1369
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_012E1FEC push eax; iretd 8_2_012E1FED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01367E99 push ecx; ret 8_2_01367EAC
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_04CF3F14 push 00000039h; iretd 9_2_04CF3F16
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_04CF5B27 push ecx; iretd 9_2_04CF5B28
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C33291 pushfd ; retn 0006h 9_2_06C33292
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C33268 pushfd ; retn 0006h 9_2_06C3326A
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 9_2_06C37210 push eax; ret 9_2_06C37211
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0040587C push edi; iretd 13_2_0040587D
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_004118C9 pushfd ; iretd 13_2_004118D6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0041713B push cs; iretd 13_2_0041714A
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_004032C0 push eax; ret 13_2_004032C2
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0040AABE push edi; retf 13_2_0040AABF
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_00414C5F push cs; retf 13_2_00414C69
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0041EDFB push ss; retf 13_2_0041EE2D
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0040D580 push ebx; iretd 13_2_0040D581
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0040ADAA push esi; retf 13_2_0040ADAD
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_00423E23 push 0000006Dh; iretd 13_2_00423E2C
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_0040163A pushad ; retf 13_2_004016C1
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01A8225F pushad ; ret 13_2_01A827F9
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01A827FA pushad ; ret 13_2_01A827F9
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01AB09AD push ecx; mov dword ptr [esp], ecx 13_2_01AB09B6
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01A8283D push eax; iretd 13_2_01A82858
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Code function: 13_2_01A81368 push eax; iretd 13_2_01A81369
Source: z2PaymentAdviceD00772795264733.exe Static PE information: section name: .text entropy: 7.559709019658348
Source: YDKFDa.exe.0.dr Static PE information: section name: .text entropy: 7.559709019658348
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, nYmvkdAhZCTYJuCKng.cs High entropy of concatenated method names: 'Of1gTWHDQM', 'uZIguuIFH7', 'p2mgg9clij', 'NbFgYPwWEj', 'ti0gw9JmyB', 'PNmgjHGfy7', 'Dispose', 'B2X5kZRTZ9', 'kkV5qLvpok', 'vVl594D9pd'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, K1cJufyyCIR2KIpHJ9.cs High entropy of concatenated method names: 'w9qfDqVUum', 'AhWfZOTKO9', 'SGf9EfGd1e', 'DxE9oWHjqD', 'eBf919pwyb', 'Sq69aPH0mQ', 'equ9iMRMpa', 'ydP9VZEOAZ', 'CsE90dMGGE', 'O9s92hfXsb'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, Yy2ZFgqwegfi3FfEQt.cs High entropy of concatenated method names: 'Dispose', 'PTYxNJuCKn', 'T0QclsOZuN', 'XtehktNMnh', 'svUxGel8Fi', 'x4IxzFVEHF', 'ProcessDialogKey', 'XLZctb816g', 'lDWcxobXNK', 'lWbccgu07t'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, M1NWG9BiiFVBaNvJyI.cs High entropy of concatenated method names: 'Tb9HP5lPN1', 'KLwHk4JiBZ', 'WbbHq2ZZ9r', 'G6CH9brl87', 'Qi7HfWMXCC', 'd4pHn82Gp6', 'fubHFd6JMx', 'kilHBlp8TA', 'HsrHOcgNUN', 'OlbHrkAq9a'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, ru07t6GJ9lAd9dj6MC.cs High entropy of concatenated method names: 'm3B39xV5qW', 'Vtt3fZbZ7L', 'FsW3n9LqUV', 't3R3FXXsO3', 'nw23g3FKAQ', 'o9E3BLCvXl', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, BRTYplzfvjAyl2MOEb.cs High entropy of concatenated method names: 'vSK3J7h3JM', 'qUg3Qjiueh', 'dnc3bClPli', 'yqe3Svl1GT', 'aEl3l9gqYm', 'G0O3owvxD2', 'wtL31rDiWL', 'FRQ3jYwrUK', 'KEZ3hfkAKc', 'fwd3KawluM'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, xMnfXU0XNQ1ICiOOEr.cs High entropy of concatenated method names: 'Qn2Fhkomjx', 'Hn1FKYuroc', 'IqvFe3XrZd', 'wSwFX86CEJ', 'I58FDOiXUh', 'YTDFJQBmmV', 'hpqFZIHjWS', 'T7jFQbQoyl', 'Yw6FbD40fh', 'kmXFyv7Kxk'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, uFmxiaRiFr2QYCpV8s.cs High entropy of concatenated method names: 'lyixFclBcq', 'x9ExBO5xB8', 'MLGxrnffu3', 'h0oxMra1cJ', 'TpHxTJ91ds', 'qC3xsHhQ33', 'IGl0bmfw6ZP44gR6nJ', 'XcMdYGq5LMtGCb4Evq', 'P52xxd6wMT', 'FUmxHwOlfu'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, BowMBBcoHQWY7UbhLX.cs High entropy of concatenated method names: 'aQLeN9q9q', 'vlbXJZQTq', 'a3yJBqiix', 'xSLZtm80L', 'm95bvwq89', 'udgyFA9M9', 'tDcbPNwCVn2HvLcP3L', 'z7k78v0qUlhKJ3pO58', 'Bqa57FeHZ', 'En43eR8Wx'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, F5EVg8xHOk1fwqogjLZ.cs High entropy of concatenated method names: 'pDGYGUUgch', 'FiMYzXLlYe', 'cvd6t4VfY5', 'IIciZMcRfmCJk1lVUGe', 'c1eUiXcMKDNQoFyNqmZ', 'MHemprcUdf1wJ5PMix5', 'BvOWebcmrJZjA3twxGW', 'JwahUdcys2naV7wX8it'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, JdsuC3SHhQ3393ODHe.cs High entropy of concatenated method names: 'uFfnP5pOkB', 'sVNnqSskIG', 'f2Jnfl7k4w', 'vEGnF5vfOr', 'XilnBXTakN', 'X1lf8S8kIw', 'MaGfpsVpPR', 'e2yfAMgpUO', 'xUkfLBfqcR', 'cWxfNcMdV8'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, cXsjaxxR9WVEt6jwxfJ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uIC6gv6uwH', 'duI63TFi6u', 'bO26Ylwrhs', 'il666Ev8P8', 'VfY6wxbuod', 's4m6mp2pci', 'l0k6jFJmS2'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, Avjx1C76uigvtU6Qws.cs High entropy of concatenated method names: 'tvOUQucBuw', 'EbdUbheP8A', 'A3sUSKnFSP', 'xcpUleTGwZ', 'qwOUoy5JrT', 'D1lU1vbJr1', 'l0pUiHrio7', 'oAvUVRWVDN', 'K96U2skIiL', 'dCuUWXnoFL'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, Db816gNODWobXNKOWb.cs High entropy of concatenated method names: 'j3bgSGuTgM', 'abmglaXKJt', 'kBvgEOvDrr', 'OHsgostY2g', 'rLIg1Tll5h', 'KoygaEmv5x', 'kOGgiHKhkZ', 'RnMgVob5Gb', 'lF8g0f4xoY', 'dM7g28MZQy'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, KclBcqQh9EO5xB8FFV.cs High entropy of concatenated method names: 'inNq4myadW', 'jrmqdkrh9o', 'CKXqvSirpx', 'EOJqIyBaOh', 'eDtq8qD8XC', 'Kqjqp87vI0', 'bjxqAk0F8a', 'joCqL0Y6i2', 'LQDqNXePJt', 'aBhqGyrqGV'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, j4pcLcvHWRp4PuZTlQ.cs High entropy of concatenated method names: 'ToString', 'U11sWV2XCI', 'gTLslQvjel', 'JVnsEykBDT', 'ivDso9JyHK', 'FP8s1mmDAc', 'kj4saeYOnI', 'iHasiKunK0', 'XFIsVV1Am7', 'OiNs0eUaLv'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, X39TauIjDMCm1sa1xU.cs High entropy of concatenated method names: 'nBOurEU7bS', 'VT5uMVeflB', 'ToString', 'K3eukBouq0', 'ubRuqeFynm', 'Ft8u9Ho3XV', 's2Xuftl2CT', 'pZ9unitQDP', 'zlAuFOKHVa', 'tIBuBpo0XR'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, aqKuXnp4ZmPrRxRDrx.cs High entropy of concatenated method names: 'N1VuLW8Zk3', 'SsluG94Cdr', 'yES5txbAgO', 'pPY5x2Clxs', 'tRsuWTYhE3', 'VAVuC2IsdG', 'FLau70B9HP', 'OU4u42Tunu', 'IT0udWaqFB', 'vbSuv883e9'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, mXGWpgxxAZFw381ML7N.cs High entropy of concatenated method names: 'f1c3GSDgKq', 'ENt3zIMPlx', 'jxpYtONDeV', 'naGYx9dq5m', 'jqfYcS0pMY', 'lB5YHTTlth', 'K47YRjtEvy', 'egEYPA1CyM', 'TuaYkeWNhs', 'wK1YqMNjdo'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, d7M2AVbLGnffu390or.cs High entropy of concatenated method names: 'smc9X5nRJd', 'jm99JffGic', 'Rqk9Q6Selu', 'jbB9bCNg0s', 'I3p9T8xfNQ', 'Cjx9sS5gc2', 'HBw9ui8Gvd', 'cpx95G9lOW', 'rmi9gxMUgF', 'h8V93v0LWF'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, unuVG2iWVfBeNU5qM5.cs High entropy of concatenated method names: 'YRhFkblV54', 'jkBF9PuayM', 'NdqFnbkE6I', 'DrSnGnL7FW', 'ERSnzhgc4m', 'oIUFtDLVXH', 'MHpFxcS2qu', 'ziUFctCShR', 'onbFH8NrTj', 'VdCFRrItf5'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, I3XxJdxt0LPKVUcBRnY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u3v3W847Ch', 'A4d3C9Mldt', 'yM437vWmgQ', 'RN334xrdJX', 'QQO3dnkr8a', 'EvL3vMUij3', 'MLn3I17TQY'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.3c92510.2.raw.unpack, qI8ifR4gNHogmluKif.cs High entropy of concatenated method names: 'wYsT2NaVgv', 'joWTCxMvSq', 'PysT4jeQ3d', 'uSjTdkiGM1', 'HYSTl06ZO3', 'DnpTE0sK5N', 'S0BToeJk9k', 'htlT1XWZCw', 'DDZTaU4XqI', 'Rt4TiAlomP'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, nYmvkdAhZCTYJuCKng.cs High entropy of concatenated method names: 'Of1gTWHDQM', 'uZIguuIFH7', 'p2mgg9clij', 'NbFgYPwWEj', 'ti0gw9JmyB', 'PNmgjHGfy7', 'Dispose', 'B2X5kZRTZ9', 'kkV5qLvpok', 'vVl594D9pd'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, K1cJufyyCIR2KIpHJ9.cs High entropy of concatenated method names: 'w9qfDqVUum', 'AhWfZOTKO9', 'SGf9EfGd1e', 'DxE9oWHjqD', 'eBf919pwyb', 'Sq69aPH0mQ', 'equ9iMRMpa', 'ydP9VZEOAZ', 'CsE90dMGGE', 'O9s92hfXsb'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, Yy2ZFgqwegfi3FfEQt.cs High entropy of concatenated method names: 'Dispose', 'PTYxNJuCKn', 'T0QclsOZuN', 'XtehktNMnh', 'svUxGel8Fi', 'x4IxzFVEHF', 'ProcessDialogKey', 'XLZctb816g', 'lDWcxobXNK', 'lWbccgu07t'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, M1NWG9BiiFVBaNvJyI.cs High entropy of concatenated method names: 'Tb9HP5lPN1', 'KLwHk4JiBZ', 'WbbHq2ZZ9r', 'G6CH9brl87', 'Qi7HfWMXCC', 'd4pHn82Gp6', 'fubHFd6JMx', 'kilHBlp8TA', 'HsrHOcgNUN', 'OlbHrkAq9a'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, ru07t6GJ9lAd9dj6MC.cs High entropy of concatenated method names: 'm3B39xV5qW', 'Vtt3fZbZ7L', 'FsW3n9LqUV', 't3R3FXXsO3', 'nw23g3FKAQ', 'o9E3BLCvXl', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, BRTYplzfvjAyl2MOEb.cs High entropy of concatenated method names: 'vSK3J7h3JM', 'qUg3Qjiueh', 'dnc3bClPli', 'yqe3Svl1GT', 'aEl3l9gqYm', 'G0O3owvxD2', 'wtL31rDiWL', 'FRQ3jYwrUK', 'KEZ3hfkAKc', 'fwd3KawluM'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, xMnfXU0XNQ1ICiOOEr.cs High entropy of concatenated method names: 'Qn2Fhkomjx', 'Hn1FKYuroc', 'IqvFe3XrZd', 'wSwFX86CEJ', 'I58FDOiXUh', 'YTDFJQBmmV', 'hpqFZIHjWS', 'T7jFQbQoyl', 'Yw6FbD40fh', 'kmXFyv7Kxk'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, uFmxiaRiFr2QYCpV8s.cs High entropy of concatenated method names: 'lyixFclBcq', 'x9ExBO5xB8', 'MLGxrnffu3', 'h0oxMra1cJ', 'TpHxTJ91ds', 'qC3xsHhQ33', 'IGl0bmfw6ZP44gR6nJ', 'XcMdYGq5LMtGCb4Evq', 'P52xxd6wMT', 'FUmxHwOlfu'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, BowMBBcoHQWY7UbhLX.cs High entropy of concatenated method names: 'aQLeN9q9q', 'vlbXJZQTq', 'a3yJBqiix', 'xSLZtm80L', 'm95bvwq89', 'udgyFA9M9', 'tDcbPNwCVn2HvLcP3L', 'z7k78v0qUlhKJ3pO58', 'Bqa57FeHZ', 'En43eR8Wx'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, F5EVg8xHOk1fwqogjLZ.cs High entropy of concatenated method names: 'pDGYGUUgch', 'FiMYzXLlYe', 'cvd6t4VfY5', 'IIciZMcRfmCJk1lVUGe', 'c1eUiXcMKDNQoFyNqmZ', 'MHemprcUdf1wJ5PMix5', 'BvOWebcmrJZjA3twxGW', 'JwahUdcys2naV7wX8it'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, JdsuC3SHhQ3393ODHe.cs High entropy of concatenated method names: 'uFfnP5pOkB', 'sVNnqSskIG', 'f2Jnfl7k4w', 'vEGnF5vfOr', 'XilnBXTakN', 'X1lf8S8kIw', 'MaGfpsVpPR', 'e2yfAMgpUO', 'xUkfLBfqcR', 'cWxfNcMdV8'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, cXsjaxxR9WVEt6jwxfJ.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uIC6gv6uwH', 'duI63TFi6u', 'bO26Ylwrhs', 'il666Ev8P8', 'VfY6wxbuod', 's4m6mp2pci', 'l0k6jFJmS2'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, Avjx1C76uigvtU6Qws.cs High entropy of concatenated method names: 'tvOUQucBuw', 'EbdUbheP8A', 'A3sUSKnFSP', 'xcpUleTGwZ', 'qwOUoy5JrT', 'D1lU1vbJr1', 'l0pUiHrio7', 'oAvUVRWVDN', 'K96U2skIiL', 'dCuUWXnoFL'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, Db816gNODWobXNKOWb.cs High entropy of concatenated method names: 'j3bgSGuTgM', 'abmglaXKJt', 'kBvgEOvDrr', 'OHsgostY2g', 'rLIg1Tll5h', 'KoygaEmv5x', 'kOGgiHKhkZ', 'RnMgVob5Gb', 'lF8g0f4xoY', 'dM7g28MZQy'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, KclBcqQh9EO5xB8FFV.cs High entropy of concatenated method names: 'inNq4myadW', 'jrmqdkrh9o', 'CKXqvSirpx', 'EOJqIyBaOh', 'eDtq8qD8XC', 'Kqjqp87vI0', 'bjxqAk0F8a', 'joCqL0Y6i2', 'LQDqNXePJt', 'aBhqGyrqGV'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, j4pcLcvHWRp4PuZTlQ.cs High entropy of concatenated method names: 'ToString', 'U11sWV2XCI', 'gTLslQvjel', 'JVnsEykBDT', 'ivDso9JyHK', 'FP8s1mmDAc', 'kj4saeYOnI', 'iHasiKunK0', 'XFIsVV1Am7', 'OiNs0eUaLv'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, X39TauIjDMCm1sa1xU.cs High entropy of concatenated method names: 'nBOurEU7bS', 'VT5uMVeflB', 'ToString', 'K3eukBouq0', 'ubRuqeFynm', 'Ft8u9Ho3XV', 's2Xuftl2CT', 'pZ9unitQDP', 'zlAuFOKHVa', 'tIBuBpo0XR'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, aqKuXnp4ZmPrRxRDrx.cs High entropy of concatenated method names: 'N1VuLW8Zk3', 'SsluG94Cdr', 'yES5txbAgO', 'pPY5x2Clxs', 'tRsuWTYhE3', 'VAVuC2IsdG', 'FLau70B9HP', 'OU4u42Tunu', 'IT0udWaqFB', 'vbSuv883e9'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, mXGWpgxxAZFw381ML7N.cs High entropy of concatenated method names: 'f1c3GSDgKq', 'ENt3zIMPlx', 'jxpYtONDeV', 'naGYx9dq5m', 'jqfYcS0pMY', 'lB5YHTTlth', 'K47YRjtEvy', 'egEYPA1CyM', 'TuaYkeWNhs', 'wK1YqMNjdo'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, d7M2AVbLGnffu390or.cs High entropy of concatenated method names: 'smc9X5nRJd', 'jm99JffGic', 'Rqk9Q6Selu', 'jbB9bCNg0s', 'I3p9T8xfNQ', 'Cjx9sS5gc2', 'HBw9ui8Gvd', 'cpx95G9lOW', 'rmi9gxMUgF', 'h8V93v0LWF'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, unuVG2iWVfBeNU5qM5.cs High entropy of concatenated method names: 'YRhFkblV54', 'jkBF9PuayM', 'NdqFnbkE6I', 'DrSnGnL7FW', 'ERSnzhgc4m', 'oIUFtDLVXH', 'MHpFxcS2qu', 'ziUFctCShR', 'onbFH8NrTj', 'VdCFRrItf5'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, I3XxJdxt0LPKVUcBRnY.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u3v3W847Ch', 'A4d3C9Mldt', 'yM437vWmgQ', 'RN334xrdJX', 'QQO3dnkr8a', 'EvL3vMUij3', 'MLn3I17TQY'
Source: 0.2.z2PaymentAdviceD00772795264733.exe.7400000.4.raw.unpack, qI8ifR4gNHogmluKif.cs High entropy of concatenated method names: 'wYsT2NaVgv', 'joWTCxMvSq', 'PysT4jeQ3d', 'uSjTdkiGM1', 'HYSTl06ZO3', 'DnpTE0sK5N', 'S0BToeJk9k', 'htlT1XWZCw', 'DDZTaU4XqI', 'Rt4TiAlomP'
Drops PE files
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe File created: C:\Users\user\AppData\Roaming\YDKFDa.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: z2PaymentAdviceD00772795264733.exe PID: 7312, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: YDKFDa.exe PID: 7792, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Memory allocated: F40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Memory allocated: 29C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Memory allocated: 2760000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Memory allocated: 78C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Memory allocated: 88C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Memory allocated: 8A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Memory allocated: 9A70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Memory allocated: CA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Memory allocated: 2770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Memory allocated: 4770000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Memory allocated: 71B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Memory allocated: 81B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Memory allocated: 8350000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Memory allocated: 9350000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130E0D0 rdtsc 8_2_0130E0D0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5837 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5321 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe API coverage: 0.1 %
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe API coverage: 0.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe TID: 7332 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7780 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7744 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7768 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe TID: 7828 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe TID: 8128 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.19.dr Binary or memory string: VMware
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.19.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1733845497.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\'
Source: Amcache.hve.19.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.19.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr Binary or memory string: vmci.sys
Source: Amcache.hve.19.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: z2PaymentAdviceD00772795264733.exe, 00000000.00000002.1733845497.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.19.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.19.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.19.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.19.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.19.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130E0D0 rdtsc 8_2_0130E0D0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01352DF0 LdrInitializeThunk, 8_2_01352DF0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01340124 mov eax, dword ptr fs:[00000030h] 8_2_01340124
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01352160 mov eax, dword ptr fs:[00000030h] 8_2_01352160
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316154 mov eax, dword ptr fs:[00000030h] 8_2_01316154
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316154 mov eax, dword ptr fs:[00000030h] 8_2_01316154
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130C156 mov eax, dword ptr fs:[00000030h] 8_2_0130C156
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01312140 mov ecx, dword ptr fs:[00000030h] 8_2_01312140
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01312140 mov eax, dword ptr fs:[00000030h] 8_2_01312140
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139019F mov eax, dword ptr fs:[00000030h] 8_2_0139019F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139019F mov eax, dword ptr fs:[00000030h] 8_2_0139019F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139019F mov eax, dword ptr fs:[00000030h] 8_2_0139019F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139019F mov eax, dword ptr fs:[00000030h] 8_2_0139019F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130A197 mov eax, dword ptr fs:[00000030h] 8_2_0130A197
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130A197 mov eax, dword ptr fs:[00000030h] 8_2_0130A197
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130A197 mov eax, dword ptr fs:[00000030h] 8_2_0130A197
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01350185 mov eax, dword ptr fs:[00000030h] 8_2_01350185
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013401F8 mov eax, dword ptr fs:[00000030h] 8_2_013401F8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013261D1 mov eax, dword ptr fs:[00000030h] 8_2_013261D1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013261D1 mov eax, dword ptr fs:[00000030h] 8_2_013261D1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0138E1D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0138E1D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E1D0 mov ecx, dword ptr fs:[00000030h] 8_2_0138E1D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0138E1D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0138E1D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0136E1D8 mov eax, dword ptr fs:[00000030h] 8_2_0136E1D8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130C020 mov eax, dword ptr fs:[00000030h] 8_2_0130C020
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130A020 mov eax, dword ptr fs:[00000030h] 8_2_0130A020
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132E016 mov eax, dword ptr fs:[00000030h] 8_2_0132E016
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132E016 mov eax, dword ptr fs:[00000030h] 8_2_0132E016
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132E016 mov eax, dword ptr fs:[00000030h] 8_2_0132E016
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132E016 mov eax, dword ptr fs:[00000030h] 8_2_0132E016
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01394000 mov ecx, dword ptr fs:[00000030h] 8_2_01394000
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133C073 mov eax, dword ptr fs:[00000030h] 8_2_0133C073
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A060 mov eax, dword ptr fs:[00000030h] 8_2_0134A060
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01312050 mov eax, dword ptr fs:[00000030h] 8_2_01312050
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01396050 mov eax, dword ptr fs:[00000030h] 8_2_01396050
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013080A0 mov eax, dword ptr fs:[00000030h] 8_2_013080A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131208A mov eax, dword ptr fs:[00000030h] 8_2_0131208A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130C0F0 mov eax, dword ptr fs:[00000030h] 8_2_0130C0F0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013520F0 mov ecx, dword ptr fs:[00000030h] 8_2_013520F0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130A0E3 mov ecx, dword ptr fs:[00000030h] 8_2_0130A0E3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013180E9 mov eax, dword ptr fs:[00000030h] 8_2_013180E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013960E0 mov eax, dword ptr fs:[00000030h] 8_2_013960E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013920DE mov eax, dword ptr fs:[00000030h] 8_2_013920DE
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01312324 mov eax, dword ptr fs:[00000030h] 8_2_01312324
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130C310 mov ecx, dword ptr fs:[00000030h] 8_2_0130C310
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01330310 mov ecx, dword ptr fs:[00000030h] 8_2_01330310
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A30B mov eax, dword ptr fs:[00000030h] 8_2_0134A30B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A30B mov eax, dword ptr fs:[00000030h] 8_2_0134A30B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A30B mov eax, dword ptr fs:[00000030h] 8_2_0134A30B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139035C mov eax, dword ptr fs:[00000030h] 8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139035C mov eax, dword ptr fs:[00000030h] 8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139035C mov eax, dword ptr fs:[00000030h] 8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139035C mov ecx, dword ptr fs:[00000030h] 8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139035C mov eax, dword ptr fs:[00000030h] 8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139035C mov eax, dword ptr fs:[00000030h] 8_2_0139035C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01392349 mov eax, dword ptr fs:[00000030h] 8_2_01392349
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308397 mov eax, dword ptr fs:[00000030h] 8_2_01308397
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308397 mov eax, dword ptr fs:[00000030h] 8_2_01308397
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308397 mov eax, dword ptr fs:[00000030h] 8_2_01308397
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130E388 mov eax, dword ptr fs:[00000030h] 8_2_0130E388
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130E388 mov eax, dword ptr fs:[00000030h] 8_2_0130E388
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130E388 mov eax, dword ptr fs:[00000030h] 8_2_0130E388
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133438F mov eax, dword ptr fs:[00000030h] 8_2_0133438F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133438F mov eax, dword ptr fs:[00000030h] 8_2_0133438F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013463FF mov eax, dword ptr fs:[00000030h] 8_2_013463FF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h] 8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h] 8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h] 8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h] 8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h] 8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h] 8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h] 8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013203E9 mov eax, dword ptr fs:[00000030h] 8_2_013203E9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A3C0 mov eax, dword ptr fs:[00000030h] 8_2_0131A3C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013183C0 mov eax, dword ptr fs:[00000030h] 8_2_013183C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013183C0 mov eax, dword ptr fs:[00000030h] 8_2_013183C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013183C0 mov eax, dword ptr fs:[00000030h] 8_2_013183C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013183C0 mov eax, dword ptr fs:[00000030h] 8_2_013183C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013963C0 mov eax, dword ptr fs:[00000030h] 8_2_013963C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130823B mov eax, dword ptr fs:[00000030h] 8_2_0130823B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320218 mov eax, dword ptr fs:[00000030h] 8_2_01320218
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01314260 mov eax, dword ptr fs:[00000030h] 8_2_01314260
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01314260 mov eax, dword ptr fs:[00000030h] 8_2_01314260
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01314260 mov eax, dword ptr fs:[00000030h] 8_2_01314260
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130826B mov eax, dword ptr fs:[00000030h] 8_2_0130826B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130A250 mov eax, dword ptr fs:[00000030h] 8_2_0130A250
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316259 mov eax, dword ptr fs:[00000030h] 8_2_01316259
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01398243 mov eax, dword ptr fs:[00000030h] 8_2_01398243
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01398243 mov ecx, dword ptr fs:[00000030h] 8_2_01398243
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013202A0 mov eax, dword ptr fs:[00000030h] 8_2_013202A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013202A0 mov eax, dword ptr fs:[00000030h] 8_2_013202A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E284 mov eax, dword ptr fs:[00000030h] 8_2_0134E284
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E284 mov eax, dword ptr fs:[00000030h] 8_2_0134E284
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01390283 mov eax, dword ptr fs:[00000030h] 8_2_01390283
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01390283 mov eax, dword ptr fs:[00000030h] 8_2_01390283
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01390283 mov eax, dword ptr fs:[00000030h] 8_2_01390283
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013202E1 mov eax, dword ptr fs:[00000030h] 8_2_013202E1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013202E1 mov eax, dword ptr fs:[00000030h] 8_2_013202E1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013202E1 mov eax, dword ptr fs:[00000030h] 8_2_013202E1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A2C3 mov eax, dword ptr fs:[00000030h] 8_2_0131A2C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A2C3 mov eax, dword ptr fs:[00000030h] 8_2_0131A2C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A2C3 mov eax, dword ptr fs:[00000030h] 8_2_0131A2C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A2C3 mov eax, dword ptr fs:[00000030h] 8_2_0131A2C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A2C3 mov eax, dword ptr fs:[00000030h] 8_2_0131A2C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h] 8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h] 8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h] 8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h] 8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h] 8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320535 mov eax, dword ptr fs:[00000030h] 8_2_01320535
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E53E mov eax, dword ptr fs:[00000030h] 8_2_0133E53E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E53E mov eax, dword ptr fs:[00000030h] 8_2_0133E53E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E53E mov eax, dword ptr fs:[00000030h] 8_2_0133E53E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E53E mov eax, dword ptr fs:[00000030h] 8_2_0133E53E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E53E mov eax, dword ptr fs:[00000030h] 8_2_0133E53E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134656A mov eax, dword ptr fs:[00000030h] 8_2_0134656A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134656A mov eax, dword ptr fs:[00000030h] 8_2_0134656A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134656A mov eax, dword ptr fs:[00000030h] 8_2_0134656A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013345B1 mov eax, dword ptr fs:[00000030h] 8_2_013345B1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013345B1 mov eax, dword ptr fs:[00000030h] 8_2_013345B1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E59C mov eax, dword ptr fs:[00000030h] 8_2_0134E59C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130A580 mov ecx, dword ptr fs:[00000030h] 8_2_0130A580
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130A580 mov eax, dword ptr fs:[00000030h] 8_2_0130A580
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01312582 mov eax, dword ptr fs:[00000030h] 8_2_01312582
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01312582 mov ecx, dword ptr fs:[00000030h] 8_2_01312582
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01344588 mov eax, dword ptr fs:[00000030h] 8_2_01344588
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013125E0 mov eax, dword ptr fs:[00000030h] 8_2_013125E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0133E5E7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134C5ED mov eax, dword ptr fs:[00000030h] 8_2_0134C5ED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134C5ED mov eax, dword ptr fs:[00000030h] 8_2_0134C5ED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013165D0 mov eax, dword ptr fs:[00000030h] 8_2_013165D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A5D0 mov eax, dword ptr fs:[00000030h] 8_2_0134A5D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A5D0 mov eax, dword ptr fs:[00000030h] 8_2_0134A5D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E5CF mov eax, dword ptr fs:[00000030h] 8_2_0134E5CF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E5CF mov eax, dword ptr fs:[00000030h] 8_2_0134E5CF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A430 mov eax, dword ptr fs:[00000030h] 8_2_0134A430
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130E420 mov eax, dword ptr fs:[00000030h] 8_2_0130E420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130E420 mov eax, dword ptr fs:[00000030h] 8_2_0130E420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130E420 mov eax, dword ptr fs:[00000030h] 8_2_0130E420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130C427 mov eax, dword ptr fs:[00000030h] 8_2_0130C427
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h] 8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h] 8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h] 8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h] 8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h] 8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h] 8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01396420 mov eax, dword ptr fs:[00000030h] 8_2_01396420
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132E413 mov eax, dword ptr fs:[00000030h] 8_2_0132E413
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132E413 mov eax, dword ptr fs:[00000030h] 8_2_0132E413
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132E413 mov eax, dword ptr fs:[00000030h] 8_2_0132E413
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01348402 mov eax, dword ptr fs:[00000030h] 8_2_01348402
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01348402 mov eax, dword ptr fs:[00000030h] 8_2_01348402
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01348402 mov eax, dword ptr fs:[00000030h] 8_2_01348402
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133A470 mov eax, dword ptr fs:[00000030h] 8_2_0133A470
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133A470 mov eax, dword ptr fs:[00000030h] 8_2_0133A470
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133A470 mov eax, dword ptr fs:[00000030h] 8_2_0133A470
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139C460 mov ecx, dword ptr fs:[00000030h] 8_2_0139C460
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133245A mov eax, dword ptr fs:[00000030h] 8_2_0133245A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h] 8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h] 8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h] 8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h] 8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h] 8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h] 8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h] 8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134E443 mov eax, dword ptr fs:[00000030h] 8_2_0134E443
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013444B0 mov ecx, dword ptr fs:[00000030h] 8_2_013444B0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139A4B0 mov eax, dword ptr fs:[00000030h] 8_2_0139A4B0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013064BA mov eax, dword ptr fs:[00000030h] 8_2_013064BA
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013164AB mov eax, dword ptr fs:[00000030h] 8_2_013164AB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316484 mov eax, dword ptr fs:[00000030h] 8_2_01316484
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013104E5 mov ecx, dword ptr fs:[00000030h] 8_2_013104E5
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134273C mov eax, dword ptr fs:[00000030h] 8_2_0134273C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134273C mov ecx, dword ptr fs:[00000030h] 8_2_0134273C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134273C mov eax, dword ptr fs:[00000030h] 8_2_0134273C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138C730 mov eax, dword ptr fs:[00000030h] 8_2_0138C730
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134C720 mov eax, dword ptr fs:[00000030h] 8_2_0134C720
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134C720 mov eax, dword ptr fs:[00000030h] 8_2_0134C720
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310710 mov eax, dword ptr fs:[00000030h] 8_2_01310710
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01340710 mov eax, dword ptr fs:[00000030h] 8_2_01340710
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134C700 mov eax, dword ptr fs:[00000030h] 8_2_0134C700
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318770 mov eax, dword ptr fs:[00000030h] 8_2_01318770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320770 mov eax, dword ptr fs:[00000030h] 8_2_01320770
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310750 mov eax, dword ptr fs:[00000030h] 8_2_01310750
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139E75D mov eax, dword ptr fs:[00000030h] 8_2_0139E75D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01352750 mov eax, dword ptr fs:[00000030h] 8_2_01352750
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01352750 mov eax, dword ptr fs:[00000030h] 8_2_01352750
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01394755 mov eax, dword ptr fs:[00000030h] 8_2_01394755
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130A740 mov eax, dword ptr fs:[00000030h] 8_2_0130A740
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134674D mov esi, dword ptr fs:[00000030h] 8_2_0134674D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134674D mov eax, dword ptr fs:[00000030h] 8_2_0134674D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134674D mov eax, dword ptr fs:[00000030h] 8_2_0134674D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013107AF mov eax, dword ptr fs:[00000030h] 8_2_013107AF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134C7F0 mov eax, dword ptr fs:[00000030h] 8_2_0134C7F0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013147FB mov eax, dword ptr fs:[00000030h] 8_2_013147FB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013147FB mov eax, dword ptr fs:[00000030h] 8_2_013147FB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139E7E1 mov eax, dword ptr fs:[00000030h] 8_2_0139E7E1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013327ED mov eax, dword ptr fs:[00000030h] 8_2_013327ED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013327ED mov eax, dword ptr fs:[00000030h] 8_2_013327ED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013327ED mov eax, dword ptr fs:[00000030h] 8_2_013327ED
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131C7C0 mov eax, dword ptr fs:[00000030h] 8_2_0131C7C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013907C3 mov eax, dword ptr fs:[00000030h] 8_2_013907C3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01348620 mov eax, dword ptr fs:[00000030h] 8_2_01348620
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01346620 mov eax, dword ptr fs:[00000030h] 8_2_01346620
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132E627 mov eax, dword ptr fs:[00000030h] 8_2_0132E627
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131262C mov eax, dword ptr fs:[00000030h] 8_2_0131262C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01352619 mov eax, dword ptr fs:[00000030h] 8_2_01352619
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E609 mov eax, dword ptr fs:[00000030h] 8_2_0138E609
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01342674 mov eax, dword ptr fs:[00000030h] 8_2_01342674
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A660 mov eax, dword ptr fs:[00000030h] 8_2_0134A660
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A660 mov eax, dword ptr fs:[00000030h] 8_2_0134A660
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132266C mov eax, dword ptr fs:[00000030h] 8_2_0132266C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132C640 mov eax, dword ptr fs:[00000030h] 8_2_0132C640
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013466B0 mov eax, dword ptr fs:[00000030h] 8_2_013466B0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134C6A6 mov eax, dword ptr fs:[00000030h] 8_2_0134C6A6
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01314690 mov eax, dword ptr fs:[00000030h] 8_2_01314690
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01314690 mov eax, dword ptr fs:[00000030h] 8_2_01314690
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134C68B mov eax, dword ptr fs:[00000030h] 8_2_0134C68B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013906F1 mov eax, dword ptr fs:[00000030h] 8_2_013906F1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013906F1 mov eax, dword ptr fs:[00000030h] 8_2_013906F1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0138E6F2
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0138E6F2
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0138E6F2
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0138E6F2
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013226EB mov eax, dword ptr fs:[00000030h] 8_2_013226EB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013226EB mov eax, dword ptr fs:[00000030h] 8_2_013226EB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013226EB mov eax, dword ptr fs:[00000030h] 8_2_013226EB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013226EB mov eax, dword ptr fs:[00000030h] 8_2_013226EB
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A6C7 mov ebx, dword ptr fs:[00000030h] 8_2_0134A6C7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A6C7 mov eax, dword ptr fs:[00000030h] 8_2_0134A6C7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139892A mov eax, dword ptr fs:[00000030h] 8_2_0139892A
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308918 mov eax, dword ptr fs:[00000030h] 8_2_01308918
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308918 mov eax, dword ptr fs:[00000030h] 8_2_01308918
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139C912 mov eax, dword ptr fs:[00000030h] 8_2_0139C912
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E908 mov eax, dword ptr fs:[00000030h] 8_2_0138E908
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138E908 mov eax, dword ptr fs:[00000030h] 8_2_0138E908
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139C97C mov eax, dword ptr fs:[00000030h] 8_2_0139C97C
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01336962 mov eax, dword ptr fs:[00000030h] 8_2_01336962
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01336962 mov eax, dword ptr fs:[00000030h] 8_2_01336962
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01336962 mov eax, dword ptr fs:[00000030h] 8_2_01336962
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0135096E mov eax, dword ptr fs:[00000030h] 8_2_0135096E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0135096E mov edx, dword ptr fs:[00000030h] 8_2_0135096E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0135096E mov eax, dword ptr fs:[00000030h] 8_2_0135096E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A950 mov eax, dword ptr fs:[00000030h] 8_2_0134A950
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01390946 mov eax, dword ptr fs:[00000030h] 8_2_01390946
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013989B3 mov esi, dword ptr fs:[00000030h] 8_2_013989B3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013989B3 mov eax, dword ptr fs:[00000030h] 8_2_013989B3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013989B3 mov eax, dword ptr fs:[00000030h] 8_2_013989B3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013229A0 mov eax, dword ptr fs:[00000030h] 8_2_013229A0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013109AD mov eax, dword ptr fs:[00000030h] 8_2_013109AD
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013109AD mov eax, dword ptr fs:[00000030h] 8_2_013109AD
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013429F9 mov eax, dword ptr fs:[00000030h] 8_2_013429F9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013429F9 mov eax, dword ptr fs:[00000030h] 8_2_013429F9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139E9E0 mov eax, dword ptr fs:[00000030h] 8_2_0139E9E0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131A9D0 mov eax, dword ptr fs:[00000030h] 8_2_0131A9D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_013449D0 mov eax, dword ptr fs:[00000030h] 8_2_013449D0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134A830 mov eax, dword ptr fs:[00000030h] 8_2_0134A830
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01332835 mov eax, dword ptr fs:[00000030h] 8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01332835 mov eax, dword ptr fs:[00000030h] 8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01332835 mov eax, dword ptr fs:[00000030h] 8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01332835 mov ecx, dword ptr fs:[00000030h] 8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01332835 mov eax, dword ptr fs:[00000030h] 8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01332835 mov eax, dword ptr fs:[00000030h] 8_2_01332835
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139C810 mov eax, dword ptr fs:[00000030h] 8_2_0139C810
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139E872 mov eax, dword ptr fs:[00000030h] 8_2_0139E872
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139E872 mov eax, dword ptr fs:[00000030h] 8_2_0139E872
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01340854 mov eax, dword ptr fs:[00000030h] 8_2_01340854
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01314859 mov eax, dword ptr fs:[00000030h] 8_2_01314859
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01314859 mov eax, dword ptr fs:[00000030h] 8_2_01314859
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01322840 mov ecx, dword ptr fs:[00000030h] 8_2_01322840
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139C89D mov eax, dword ptr fs:[00000030h] 8_2_0139C89D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310887 mov eax, dword ptr fs:[00000030h] 8_2_01310887
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134C8F9 mov eax, dword ptr fs:[00000030h] 8_2_0134C8F9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134C8F9 mov eax, dword ptr fs:[00000030h] 8_2_0134C8F9
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133E8C0 mov eax, dword ptr fs:[00000030h] 8_2_0133E8C0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133EB20 mov eax, dword ptr fs:[00000030h] 8_2_0133EB20
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133EB20 mov eax, dword ptr fs:[00000030h] 8_2_0133EB20
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h] 8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h] 8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h] 8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h] 8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h] 8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h] 8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h] 8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h] 8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138EB1D mov eax, dword ptr fs:[00000030h] 8_2_0138EB1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01322B79 mov eax, dword ptr fs:[00000030h] 8_2_01322B79
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01322B79 mov eax, dword ptr fs:[00000030h] 8_2_01322B79
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01322B79 mov eax, dword ptr fs:[00000030h] 8_2_01322B79
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130CB7E mov eax, dword ptr fs:[00000030h] 8_2_0130CB7E
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308B50 mov eax, dword ptr fs:[00000030h] 8_2_01308B50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320BBE mov eax, dword ptr fs:[00000030h] 8_2_01320BBE
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320BBE mov eax, dword ptr fs:[00000030h] 8_2_01320BBE
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318BF0 mov eax, dword ptr fs:[00000030h] 8_2_01318BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318BF0 mov eax, dword ptr fs:[00000030h] 8_2_01318BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318BF0 mov eax, dword ptr fs:[00000030h] 8_2_01318BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01348BF0 mov ecx, dword ptr fs:[00000030h] 8_2_01348BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01348BF0 mov eax, dword ptr fs:[00000030h] 8_2_01348BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01348BF0 mov eax, dword ptr fs:[00000030h] 8_2_01348BF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139CBF0 mov eax, dword ptr fs:[00000030h] 8_2_0139CBF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310BCD mov eax, dword ptr fs:[00000030h] 8_2_01310BCD
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310BCD mov eax, dword ptr fs:[00000030h] 8_2_01310BCD
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310BCD mov eax, dword ptr fs:[00000030h] 8_2_01310BCD
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01334A35 mov eax, dword ptr fs:[00000030h] 8_2_01334A35
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01334A35 mov eax, dword ptr fs:[00000030h] 8_2_01334A35
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CA38 mov eax, dword ptr fs:[00000030h] 8_2_0134CA38
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CA24 mov eax, dword ptr fs:[00000030h] 8_2_0134CA24
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0139CA11 mov eax, dword ptr fs:[00000030h] 8_2_0139CA11
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308A00 mov eax, dword ptr fs:[00000030h] 8_2_01308A00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308A00 mov eax, dword ptr fs:[00000030h] 8_2_01308A00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138CA72 mov eax, dword ptr fs:[00000030h] 8_2_0138CA72
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138CA72 mov eax, dword ptr fs:[00000030h] 8_2_0138CA72
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CA6F mov eax, dword ptr fs:[00000030h] 8_2_0134CA6F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CA6F mov eax, dword ptr fs:[00000030h] 8_2_0134CA6F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CA6F mov eax, dword ptr fs:[00000030h] 8_2_0134CA6F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h] 8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h] 8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h] 8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h] 8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h] 8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h] 8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316A50 mov eax, dword ptr fs:[00000030h] 8_2_01316A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01340A50 mov eax, dword ptr fs:[00000030h] 8_2_01340A50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320A5B mov eax, dword ptr fs:[00000030h] 8_2_01320A5B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320A5B mov eax, dword ptr fs:[00000030h] 8_2_01320A5B
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133EA5D mov eax, dword ptr fs:[00000030h] 8_2_0133EA5D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318AA0 mov eax, dword ptr fs:[00000030h] 8_2_01318AA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318AA0 mov eax, dword ptr fs:[00000030h] 8_2_01318AA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01366AA4 mov eax, dword ptr fs:[00000030h] 8_2_01366AA4
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01348A90 mov edx, dword ptr fs:[00000030h] 8_2_01348A90
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130EA80 mov eax, dword ptr fs:[00000030h] 8_2_0130EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130EA80 mov eax, dword ptr fs:[00000030h] 8_2_0130EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h] 8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h] 8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h] 8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h] 8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h] 8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h] 8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h] 8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h] 8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EA80 mov eax, dword ptr fs:[00000030h] 8_2_0131EA80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134AAEE mov eax, dword ptr fs:[00000030h] 8_2_0134AAEE
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134AAEE mov eax, dword ptr fs:[00000030h] 8_2_0134AAEE
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310AD0 mov eax, dword ptr fs:[00000030h] 8_2_01310AD0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01344AD0 mov eax, dword ptr fs:[00000030h] 8_2_01344AD0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01344AD0 mov eax, dword ptr fs:[00000030h] 8_2_01344AD0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01366ACC mov eax, dword ptr fs:[00000030h] 8_2_01366ACC
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01366ACC mov eax, dword ptr fs:[00000030h] 8_2_01366ACC
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01366ACC mov eax, dword ptr fs:[00000030h] 8_2_01366ACC
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133ED25 mov eax, dword ptr fs:[00000030h] 8_2_0133ED25
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133ED25 mov eax, dword ptr fs:[00000030h] 8_2_0133ED25
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133ED25 mov eax, dword ptr fs:[00000030h] 8_2_0133ED25
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01398D20 mov eax, dword ptr fs:[00000030h] 8_2_01398D20
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01306D10 mov eax, dword ptr fs:[00000030h] 8_2_01306D10
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01306D10 mov eax, dword ptr fs:[00000030h] 8_2_01306D10
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01306D10 mov eax, dword ptr fs:[00000030h] 8_2_01306D10
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01344D1D mov eax, dword ptr fs:[00000030h] 8_2_01344D1D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132AD00 mov eax, dword ptr fs:[00000030h] 8_2_0132AD00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132AD00 mov eax, dword ptr fs:[00000030h] 8_2_0132AD00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0132AD00 mov eax, dword ptr fs:[00000030h] 8_2_0132AD00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310D59 mov eax, dword ptr fs:[00000030h] 8_2_01310D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310D59 mov eax, dword ptr fs:[00000030h] 8_2_01310D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01310D59 mov eax, dword ptr fs:[00000030h] 8_2_01310D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318D59 mov eax, dword ptr fs:[00000030h] 8_2_01318D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318D59 mov eax, dword ptr fs:[00000030h] 8_2_01318D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318D59 mov eax, dword ptr fs:[00000030h] 8_2_01318D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318D59 mov eax, dword ptr fs:[00000030h] 8_2_01318D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01318D59 mov eax, dword ptr fs:[00000030h] 8_2_01318D59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CDB1 mov ecx, dword ptr fs:[00000030h] 8_2_0134CDB1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CDB1 mov eax, dword ptr fs:[00000030h] 8_2_0134CDB1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CDB1 mov eax, dword ptr fs:[00000030h] 8_2_0134CDB1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01338DBF mov eax, dword ptr fs:[00000030h] 8_2_01338DBF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01338DBF mov eax, dword ptr fs:[00000030h] 8_2_01338DBF
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01346DA0 mov eax, dword ptr fs:[00000030h] 8_2_01346DA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133CDF0 mov eax, dword ptr fs:[00000030h] 8_2_0133CDF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133CDF0 mov ecx, dword ptr fs:[00000030h] 8_2_0133CDF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h] 8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h] 8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h] 8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h] 8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h] 8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131ADE0 mov eax, dword ptr fs:[00000030h] 8_2_0131ADE0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01330DE1 mov eax, dword ptr fs:[00000030h] 8_2_01330DE1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130CDEA mov eax, dword ptr fs:[00000030h] 8_2_0130CDEA
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130CDEA mov eax, dword ptr fs:[00000030h] 8_2_0130CDEA
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133EDD3 mov eax, dword ptr fs:[00000030h] 8_2_0133EDD3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133EDD3 mov eax, dword ptr fs:[00000030h] 8_2_0133EDD3
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01394DD7 mov eax, dword ptr fs:[00000030h] 8_2_01394DD7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01394DD7 mov eax, dword ptr fs:[00000030h] 8_2_01394DD7
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130EC20 mov eax, dword ptr fs:[00000030h] 8_2_0130EC20
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320C00 mov eax, dword ptr fs:[00000030h] 8_2_01320C00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320C00 mov eax, dword ptr fs:[00000030h] 8_2_01320C00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320C00 mov eax, dword ptr fs:[00000030h] 8_2_01320C00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01320C00 mov eax, dword ptr fs:[00000030h] 8_2_01320C00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CC00 mov eax, dword ptr fs:[00000030h] 8_2_0134CC00
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01394C0F mov eax, dword ptr fs:[00000030h] 8_2_01394C0F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h] 8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h] 8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h] 8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h] 8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h] 8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131AC50 mov eax, dword ptr fs:[00000030h] 8_2_0131AC50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316C50 mov eax, dword ptr fs:[00000030h] 8_2_01316C50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316C50 mov eax, dword ptr fs:[00000030h] 8_2_01316C50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01316C50 mov eax, dword ptr fs:[00000030h] 8_2_01316C50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01344C59 mov eax, dword ptr fs:[00000030h] 8_2_01344C59
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01330C44 mov eax, dword ptr fs:[00000030h] 8_2_01330C44
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01330C44 mov eax, dword ptr fs:[00000030h] 8_2_01330C44
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01338CB1 mov eax, dword ptr fs:[00000030h] 8_2_01338CB1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01338CB1 mov eax, dword ptr fs:[00000030h] 8_2_01338CB1
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138CCA0 mov ecx, dword ptr fs:[00000030h] 8_2_0138CCA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138CCA0 mov eax, dword ptr fs:[00000030h] 8_2_0138CCA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138CCA0 mov eax, dword ptr fs:[00000030h] 8_2_0138CCA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0138CCA0 mov eax, dword ptr fs:[00000030h] 8_2_0138CCA0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308C8D mov eax, dword ptr fs:[00000030h] 8_2_01308C8D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01342CF0 mov eax, dword ptr fs:[00000030h] 8_2_01342CF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01342CF0 mov eax, dword ptr fs:[00000030h] 8_2_01342CF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01342CF0 mov eax, dword ptr fs:[00000030h] 8_2_01342CF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01342CF0 mov eax, dword ptr fs:[00000030h] 8_2_01342CF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308CD0 mov eax, dword ptr fs:[00000030h] 8_2_01308CD0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130CCC8 mov eax, dword ptr fs:[00000030h] 8_2_0130CCC8
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133EF28 mov eax, dword ptr fs:[00000030h] 8_2_0133EF28
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01312F12 mov eax, dword ptr fs:[00000030h] 8_2_01312F12
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CF1F mov eax, dword ptr fs:[00000030h] 8_2_0134CF1F
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01354F03 mov eax, dword ptr fs:[00000030h] 8_2_01354F03
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01346F60 mov eax, dword ptr fs:[00000030h] 8_2_01346F60
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01346F60 mov eax, dword ptr fs:[00000030h] 8_2_01346F60
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133AF69 mov eax, dword ptr fs:[00000030h] 8_2_0133AF69
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0133AF69 mov eax, dword ptr fs:[00000030h] 8_2_0133AF69
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h] 8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h] 8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h] 8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h] 8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h] 8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0130CF50 mov eax, dword ptr fs:[00000030h] 8_2_0130CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CF50 mov eax, dword ptr fs:[00000030h] 8_2_0134CF50
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01394F40 mov eax, dword ptr fs:[00000030h] 8_2_01394F40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01394F40 mov eax, dword ptr fs:[00000030h] 8_2_01394F40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01394F40 mov eax, dword ptr fs:[00000030h] 8_2_01394F40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01394F40 mov eax, dword ptr fs:[00000030h] 8_2_01394F40
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01342F98 mov eax, dword ptr fs:[00000030h] 8_2_01342F98
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01342F98 mov eax, dword ptr fs:[00000030h] 8_2_01342F98
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0134CF80 mov eax, dword ptr fs:[00000030h] 8_2_0134CF80
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_0131EF8D mov eax, dword ptr fs:[00000030h] 8_2_0131EF8D
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308FF0 mov ecx, dword ptr fs:[00000030h] 8_2_01308FF0
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Code function: 8_2_01308FF0 mov eax, dword ptr fs:[00000030h] 8_2_01308FF0
Enables debug privileges
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe"
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe"
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe" Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Memory written: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Memory written: C:\Users\user\AppData\Roaming\YDKFDa.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe" Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YDKFDa.exe" Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpB018.tmp" Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Process created: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe "C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YDKFDa" /XML "C:\Users\user\AppData\Local\Temp\tmpCA38.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Process created: C:\Users\user\AppData\Roaming\YDKFDa.exe "C:\Users\user\AppData\Roaming\YDKFDa.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Queries volume information: C:\Users\user\AppData\Roaming\YDKFDa.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\YDKFDa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\z2PaymentAdviceD00772795264733.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.19.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 13.2.YDKFDa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.YDKFDa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2169765906.00000000015B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 13.2.YDKFDa.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.YDKFDa.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2169765906.00000000015B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2169311016.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1559924 Sample: z2PaymentAdviceD00772795264... Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 46 Sigma detected: Scheduled temp file as task from temp location 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected FormBook 2->50 52 6 other signatures 2->52 7 z2PaymentAdviceD00772795264733.exe 7 2->7         started        11 YDKFDa.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\Roaming\YDKFDa.exe, PE32 7->38 dropped 40 C:\Users\user\...\YDKFDa.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmpB018.tmp, XML 7->42 dropped 44 C:\...\z2PaymentAdviceD00772795264733.exe.log, ASCII 7->44 dropped 54 Uses schtasks.exe or at.exe to add and modify task schedules 7->54 56 Adds a directory exclusion to Windows Defender 7->56 58 Injects a PE file into a foreign processes 7->58 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 z2PaymentAdviceD00772795264733.exe 7->20         started        60 Multi AV Scanner detection for dropped file 11->60 62 Machine Learning detection for dropped file 11->62 22 schtasks.exe 1 11->22         started        24 YDKFDa.exe 11->24         started        signatures5 process6 signatures7 64 Loading BitLocker PowerShell Module 13->64 26 WmiPrvSE.exe 13->26         started        28 conhost.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 WerFault.exe 16 20->34         started        36 conhost.exe 22->36         started        process8
No contacted IP infos