Windows Analysis Report
Payment TT Copy.PDF.exe

Overview

General Information

Sample name: Payment TT Copy.PDF.exe
Analysis ID: 1519410
MD5: 25e0c13b707f3ebce3f35e806ac547d7
SHA1: 647c3a60022eaa64b8d43c92834f0d040f305ccf
SHA256: 1a375dd13598cd93e502e68f84236b536b9333fc9f1f2db88f2bbbbc67dd04c4
Tags: AlphaBankexegeoGRCuser-NDA0E
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: Payment TT Copy.PDF.exe ReversingLabs: Detection: 26%
Yara detected FormBook
Source: Yara match File source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Payment TT Copy.PDF.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Payment TT Copy.PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Payment TT Copy.PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: vysx.pdb source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr
Source: Binary string: wntdll.pdbUGP source: Payment TT Copy.PDF.exe, 0000000D.00000002.2167161985.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Payment TT Copy.PDF.exe, Payment TT Copy.PDF.exe, 0000000D.00000002.2167161985.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: vysx.pdbSHA256 source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr
Source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: Payment TT Copy.PDF.exe, 00000000.00000002.2127687121.0000000002F96000.00000004.00000800.00020000.00000000.sdmp, VajtonZVfAG.exe, 0000000E.00000002.2177704253.0000000002E99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment TT Copy.PDF.exe
Source: initial sample Static PE information: Filename: Payment TT Copy.PDF.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_0042BFE3 NtClose, 13_2_0042BFE3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62B60 NtClose,LdrInitializeThunk, 13_2_00F62B60
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62C70 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_00F62C70
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62DF0 NtQuerySystemInformation,LdrInitializeThunk, 13_2_00F62DF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F635C0 NtCreateMutant,LdrInitializeThunk, 13_2_00F635C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F64340 NtSetContextThread, 13_2_00F64340
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F64650 NtSuspendThread, 13_2_00F64650
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62AF0 NtWriteFile, 13_2_00F62AF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62AD0 NtReadFile, 13_2_00F62AD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62AB0 NtWaitForSingleObject, 13_2_00F62AB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62BF0 NtAllocateVirtualMemory, 13_2_00F62BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62BE0 NtQueryValueKey, 13_2_00F62BE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62BA0 NtEnumerateValueKey, 13_2_00F62BA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62B80 NtQueryInformationFile, 13_2_00F62B80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62CF0 NtOpenProcess, 13_2_00F62CF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62CC0 NtQueryVirtualMemory, 13_2_00F62CC0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62CA0 NtQueryInformationToken, 13_2_00F62CA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62C60 NtCreateKey, 13_2_00F62C60
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62C00 NtQueryInformationProcess, 13_2_00F62C00
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62DD0 NtDelayExecution, 13_2_00F62DD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62DB0 NtEnumerateKey, 13_2_00F62DB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62D30 NtUnmapViewOfSection, 13_2_00F62D30
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62D10 NtMapViewOfSection, 13_2_00F62D10
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62D00 NtSetInformationFile, 13_2_00F62D00
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62EE0 NtQueueApcThread, 13_2_00F62EE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62EA0 NtAdjustPrivilegesToken, 13_2_00F62EA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62E80 NtReadVirtualMemory, 13_2_00F62E80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62E30 NtWriteVirtualMemory, 13_2_00F62E30
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62FE0 NtCreateFile, 13_2_00F62FE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62FB0 NtResumeThread, 13_2_00F62FB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62FA0 NtQuerySection, 13_2_00F62FA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62F90 NtProtectVirtualMemory, 13_2_00F62F90
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62F60 NtCreateProcessEx, 13_2_00F62F60
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62F30 NtCreateSection, 13_2_00F62F30
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F63090 NtSetValueKey, 13_2_00F63090
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F63010 NtOpenDirectoryObject, 13_2_00F63010
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F639B0 NtGetContextThread, 13_2_00F639B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F63D70 NtOpenThread, 13_2_00F63D70
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F63D10 NtOpenProcessToken, 13_2_00F63D10
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_0155DEEC 0_2_0155DEEC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B1900 0_2_075B1900
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B47B8 0_2_075B47B8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B6450 0_2_075B6450
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B6441 0_2_075B6441
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B4380 0_2_075B4380
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075BD0E8 0_2_075BD0E8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B6E00 0_2_075B6E00
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B4BF0 0_2_075B4BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B4BE0 0_2_075B4BE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B1982 0_2_075B1982
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B18EF 0_2_075B18EF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_0040F84A 13_2_0040F84A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_0040F853 13_2_0040F853
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_004010CA 13_2_004010CA
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_004010D0 13_2_004010D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_004161A3 13_2_004161A3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_0040FA73 13_2_0040FA73
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00401230 13_2_00401230
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_004022C0 13_2_004022C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_0040DAF3 13_2_0040DAF3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00402DC0 13_2_00402DC0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_0042E5B3 13_2_0042E5B3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00402640 13_2_00402640
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC2000 13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE81CC 13_2_00FE81CC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF01AA 13_2_00FF01AA
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE41A2 13_2_00FE41A2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB8158 13_2_00FB8158
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCA118 13_2_00FCA118
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F20100 13_2_00F20100
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB02C0 13_2_00FB02C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3E3F0 13_2_00F3E3F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF03E6 13_2_00FF03E6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEA352 13_2_00FEA352
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FDE4F6 13_2_00FDE4F6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE2446 13_2_00FE2446
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD4420 13_2_00FD4420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF0591 13_2_00FF0591
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30535 13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4C6E0 13_2_00F4C6E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2C7C0 13_2_00F2C7C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F54750 13_2_00F54750
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E8F0 13_2_00F5E8F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F168B8 13_2_00F168B8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3A840 13_2_00F3A840
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F32840 13_2_00F32840
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FFA9A6 13_2_00FFA9A6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F46962 13_2_00F46962
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2EA80 13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE6BD7 13_2_00FE6BD7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEAB40 13_2_00FEAB40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F20CF2 13_2_00F20CF2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0CB5 13_2_00FD0CB5
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30C00 13_2_00F30C00
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2ADE0 13_2_00F2ADE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F48DBF 13_2_00F48DBF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCCD1F 13_2_00FCCD1F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3AD00 13_2_00F3AD00
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEEEDB 13_2_00FEEEDB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F42E90 13_2_00F42E90
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FECE93 13_2_00FECE93
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30E59 13_2_00F30E59
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEEE26 13_2_00FEEE26
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3CFE0 13_2_00F3CFE0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F22FC8 13_2_00F22FC8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAEFA0 13_2_00FAEFA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA4F40 13_2_00FA4F40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F50F30 13_2_00F50F30
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD2F30 13_2_00FD2F30
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F72F28 13_2_00F72F28
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE70E9 13_2_00FE70E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEF0E0 13_2_00FEF0E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FDF0CC 13_2_00FDF0CC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F370C0 13_2_00F370C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3B1B0 13_2_00F3B1B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1F172 13_2_00F1F172
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FFB16B 13_2_00FFB16B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F6516C 13_2_00F6516C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD12ED 13_2_00FD12ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4B2C0 13_2_00F4B2C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F352A0 13_2_00F352A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F7739A 13_2_00F7739A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1D34C 13_2_00F1D34C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE132D 13_2_00FE132D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F21460 13_2_00F21460
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEF43F 13_2_00FEF43F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF95C3 13_2_00FF95C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCD5B0 13_2_00FCD5B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE7571 13_2_00FE7571
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE16CC 13_2_00FE16CC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F75630 13_2_00F75630
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEF7B0 13_2_00FEF7B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F338E0 13_2_00F338E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9D800 13_2_00F9D800
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F39950 13_2_00F39950
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4B950 13_2_00F4B950
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC5910 13_2_00FC5910
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FDDAC6 13_2_00FDDAC6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCDAAC 13_2_00FCDAAC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F75AA0 13_2_00F75AA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD1AA3 13_2_00FD1AA3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA3A6C 13_2_00FA3A6C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEFA49 13_2_00FEFA49
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE7A46 13_2_00FE7A46
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA5BF0 13_2_00FA5BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F6DBF9 13_2_00F6DBF9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4FB80 13_2_00F4FB80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEFB76 13_2_00FEFB76
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEFCF2 13_2_00FEFCF2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA9C32 13_2_00FA9C32
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4FDC0 13_2_00F4FDC0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE7D73 13_2_00FE7D73
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE1D5A 13_2_00FE1D5A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F33D40 13_2_00F33D40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F39EB0 13_2_00F39EB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEFFB1 13_2_00FEFFB1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F31F92 13_2_00F31F92
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEFF09 13_2_00FEFF09
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_0132DEEC 14_2_0132DEEC
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_02D00040 14_2_02D00040
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_02D00007 14_2_02D00007
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_07391900 14_2_07391900
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_0739BF28 14_2_0739BF28
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_073947B8 14_2_073947B8
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_07396E00 14_2_07396E00
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_07396450 14_2_07396450
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_07396441 14_2_07396441
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_07394380 14_2_07394380
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_07394BF0 14_2_07394BF0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_07394BE0 14_2_07394BE0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_07391157 14_2_07391157
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_07391982 14_2_07391982
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_073918EF 14_2_073918EF
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017B0100 19_2_017B0100
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_01806000 19_2_01806000
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_018402C0 19_2_018402C0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C0535 19_2_017C0535
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C0770 19_2_017C0770
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017E4750 19_2_017E4750
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017BC7C0 19_2_017BC7C0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017DC6E0 19_2_017DC6E0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017D6962 19_2_017D6962
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C29A0 19_2_017C29A0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017CA840 19_2_017CA840
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C2840 19_2_017C2840
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017EE8F0 19_2_017EE8F0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017A68B8 19_2_017A68B8
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017F8890 19_2_017F8890
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017BEA80 19_2_017BEA80
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017CED7A 19_2_017CED7A
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017CAD00 19_2_017CAD00
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017BADE0 19_2_017BADE0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C8DC0 19_2_017C8DC0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017D8DBF 19_2_017D8DBF
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C0C00 19_2_017C0C00
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017B0CF2 19_2_017B0CF2
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_0183EFA0 19_2_0183EFA0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017E0F30 19_2_017E0F30
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_01802F28 19_2_01802F28
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017B2FC8 19_2_017B2FC8
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_01834F40 19_2_01834F40
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C0E59 19_2_017C0E59
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017D2E90 19_2_017D2E90
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017AF172 19_2_017AF172
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017F516C 19_2_017F516C
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017CB1B0 19_2_017CB1B0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017AD34C 19_2_017AD34C
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C33F3 19_2_017C33F3
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017DD2F0 19_2_017DD2F0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017DB2C0 19_2_017DB2C0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C52A0 19_2_017C52A0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017B1460 19_2_017B1460
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_018074E0 19_2_018074E0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C3497 19_2_017C3497
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017CB730 19_2_017CB730
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C9950 19_2_017C9950
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017DB950 19_2_017DB950
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C5990 19_2_017C5990
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_0182D800 19_2_0182D800
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C38E0 19_2_017C38E0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_01835BF0 19_2_01835BF0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017FDBF9 19_2_017FDBF9
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017DFB80 19_2_017DFB80
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_01833A6C 19_2_01833A6C
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C3D40 19_2_017C3D40
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017DFDC0 19_2_017DFDC0
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017D9C20 19_2_017D9C20
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_01839C32 19_2_01839C32
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C1F92 19_2_017C1F92
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017C9EB0 19_2_017C9EB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: String function: 00F65130 appears 58 times
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: String function: 00FAF290 appears 105 times
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: String function: 00F77E54 appears 111 times
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: String function: 00F1B970 appears 280 times
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: String function: 00F9EA12 appears 86 times
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: String function: 0182EA12 appears 37 times
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: String function: 01807E54 appears 97 times
PE / OLE file has an invalid certificate
Source: Payment TT Copy.PDF.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Payment TT Copy.PDF.exe, 00000000.00000002.2147183357.0000000007F80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Payment TT Copy.PDF.exe
Source: Payment TT Copy.PDF.exe, 00000000.00000002.2146677318.0000000007AE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameh vs Payment TT Copy.PDF.exe
Source: Payment TT Copy.PDF.exe, 00000000.00000000.2097070980.0000000000BA2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamevysx.exe> vs Payment TT Copy.PDF.exe
Source: Payment TT Copy.PDF.exe, 00000000.00000002.2116090602.000000000119E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Payment TT Copy.PDF.exe
Source: Payment TT Copy.PDF.exe, 0000000D.00000002.2167161985.000000000101D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Payment TT Copy.PDF.exe
Source: Payment TT Copy.PDF.exe Binary or memory string: OriginalFilenamevysx.exe> vs Payment TT Copy.PDF.exe
Uses 32bit PE files
Source: Payment TT Copy.PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Payment TT Copy.PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VajtonZVfAG.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, dMEHjpgLgkpneUikvJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, RBypbDhhDrVS7AathM.cs Security API names: _0020.SetAccessControl
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, RBypbDhhDrVS7AathM.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, RBypbDhhDrVS7AathM.cs Security API names: _0020.AddAccessRule
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, dMEHjpgLgkpneUikvJ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, RBypbDhhDrVS7AathM.cs Security API names: _0020.SetAccessControl
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, RBypbDhhDrVS7AathM.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, RBypbDhhDrVS7AathM.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.evad.winEXE@30/15@0/0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe File created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5272:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe File created: C:\Users\user\AppData\Local\Temp\tmp78CA.tmp Jump to behavior
Source: Payment TT Copy.PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Payment TT Copy.PDF.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payment TT Copy.PDF.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe File read: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp78CA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe C:\Users\user\AppData\Roaming\VajtonZVfAG.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp91A1.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp78CA.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp91A1.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Payment TT Copy.PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Payment TT Copy.PDF.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Payment TT Copy.PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: vysx.pdb source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr
Source: Binary string: wntdll.pdbUGP source: Payment TT Copy.PDF.exe, 0000000D.00000002.2167161985.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Payment TT Copy.PDF.exe, Payment TT Copy.PDF.exe, 0000000D.00000002.2167161985.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: vysx.pdbSHA256 source: Payment TT Copy.PDF.exe, VajtonZVfAG.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Payment TT Copy.PDF.exe, MainForm.cs .Net Code: InitializeComponent
Source: VajtonZVfAG.exe.0.dr, MainForm.cs .Net Code: InitializeComponent
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, RBypbDhhDrVS7AathM.cs .Net Code: hea2mJKgcR System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.5a00000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.2f7a208.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.2f6d9e0.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, RBypbDhhDrVS7AathM.cs .Net Code: hea2mJKgcR System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.2fc9a1c.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment TT Copy.PDF.exe.2fbc86c.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Binary contains a suspicious time stamp
Source: Payment TT Copy.PDF.exe Static PE information: 0xA55FACED [Sun Dec 2 09:27:09 2057 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B04EB push ecx; ret 0_2_075B04EC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B1106 push ebx; retf 0_2_075B111A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 0_2_075B3DC7 push edx; ret 0_2_075B3DCB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00403040 push eax; ret 13_2_00403042
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00415040 push eax; iretd 13_2_00415043
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00406167 push ebp; ret 13_2_0040616B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00413560 push 00000076h; iretd 13_2_0041356F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_0041EF5B push ss; ret 13_2_0041EF97
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00423720 pushfd ; ret 13_2_00423738
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_0041EFB8 push ss; ret 13_2_0041EF97
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00EF225F pushad ; ret 13_2_00EF27F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00EF27FA pushad ; ret 13_2_00EF27F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00EF283D push eax; iretd 13_2_00EF2858
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F209AD push ecx; mov dword ptr [esp], ecx 13_2_00F209B6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00EF1368 push eax; iretd 13_2_00EF1369
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_02D0EB08 pushfd ; iretd 14_2_02D0EB09
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_07393DC8 push edx; ret 14_2_07393DCB
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 14_2_073904EB push ecx; ret 14_2_073904EC
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017FC54D pushfd ; ret 19_2_017FC54E
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017FC9D7 push edi; ret 19_2_017FC9D9
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_017B09AD push ecx; mov dword ptr [esp], ecx 19_2_017B09B6
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_01781FEC push eax; iretd 19_2_01781FED
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Code function: 19_2_01807E99 push ecx; ret 19_2_01807EAC
Source: Payment TT Copy.PDF.exe Static PE information: section name: .text entropy: 7.841420186356563
Source: VajtonZVfAG.exe.0.dr Static PE information: section name: .text entropy: 7.841420186356563
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, Jom9LF10HHRdVrln7yk.cs High entropy of concatenated method names: 'BDiO17HcrO', 'mdkOY9CXnK', 'DQNOmYDYZD', 'RK1OpGX9Ci', 'W45OeGobun', 'psAOWedCSk', 'Fe8OixokDF', 'a1yOVtHy8c', 'nqEOcSK0Cp', 'Ma6ObbPQa6'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, NynZVPIgXQvWDJeDSi.cs High entropy of concatenated method names: 'lidmYnTf6', 'otWppmljF', 'YqWWVQ3Pn', 'GpWiYAC8D', 'r6wcXGceK', 'SiFb6qp7k', 'aFxNwlMr7Jf8Gwi77y', 'xInqIB8bijPtdX9voa', 'EUYn2YPXp', 'UbdkyiUIc'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, RBypbDhhDrVS7AathM.cs High entropy of concatenated method names: 'K3nIQv2thQ', 'x8lIvmNFDG', 'XFVIq557Ds', 'DgeIKvJoNb', 'eJ5IDMn3xP', 'ergIrtSiFF', 'sTgIGhGX5O', 'Hj7IFbGJZY', 'cWfIP8UP21', 'PyoI35aoFD'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, dMEHjpgLgkpneUikvJ.cs High entropy of concatenated method names: 'aZvq0I5BJS', 'CpFqjBbvuV', 'vZFqgji7in', 'lkrq8flCvc', 'uRlqN9S38I', 'bVaqHN35sI', 'ABqqoTJ6ay', 'fp0qCFYp04', 'GkaqAKYmgT', 'pTGq5oeIy6'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, y9FXtZZQduItxqIplZ.cs High entropy of concatenated method names: 'Gt56M9UMOD', 'zys6RBWZIe', 'EZs60fHqIa', 'M6M6jBP0qA', 'QgS6x5IQhs', 'MSL6woAVYe', 'aRQ6S3KmPl', 'ktC64VVJvY', 'n0b6fXpBtw', 'xq16ht486k'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, xfyPKow3lFF1jNUg6r.cs High entropy of concatenated method names: 'qlg7ChNIVW', 'L2r75OrsaN', 'Jdrnsh41x4', 'c0unygwmuI', 'DgN7J3RMYE', 'QGY7RrpjD5', 'hl37Zkvr4Q', 'PRj70SoaBM', 'Bsj7jlJKca', 'r1m7g1QdKI'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, Qxy3IX6wCrgnogBVFg.cs High entropy of concatenated method names: 'ToString', 'MspBJvJRr7', 'CbRBxM2mFN', 'rULBwpsxZw', 'o3XBSQkpAb', 'r72B4WXYws', 'DQiBfYqPQS', 'vbgBhYqZKB', 'NvOBXJKu2s', 'a23BUqC8uR'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, M6ngbr5bXOptCR8PEO.cs High entropy of concatenated method names: 'cQ6De8le3c', 'khtDipwSEl', 'Kr8Kwls2qK', 'PY5KSq5n42', 'IFdK44s8gf', 'Cb5KfK1fRH', 'KcSKh0AM0B', 'h9SKXBgJc3', 'qrpKU868GE', 'i9bKMt64K5'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, t9tVbiV0uPTUYfS1dW.cs High entropy of concatenated method names: 'VhkrQiEtlO', 'KcLrqvWG3M', 'qfcrDfUAHv', 'qVBrGV512w', 'MSmrFPfg7S', 'vXoDNQatvg', 'tZkDHyVrQv', 'pAqDoGGLo4', 'JaiDCLUTXV', 'SOTDAXui2v'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, eCwvkyYw2voigtMyuf.cs High entropy of concatenated method names: 'Dispose', 's4ZyAPMsJ3', 'QvGdxhFvTk', 'zXCll878ix', 'XXJy5ZA1CU', 'A2cyzvykD0', 'ProcessDialogKey', 'W4adsN6WRk', 'RmVdyp6ID0', 'iujddq2WKO'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, e44qn8M52P8GCkIp9P.cs High entropy of concatenated method names: 'tCH73mH031', 'uUE79kDDow', 'ToString', 'pDE7vr93Te', 'RAe7q2EpmH', 'Xct7KaQxa0', 'eJK7Dpsq6w', 'X2s7r12t5y', 'bOj7GDb6TZ', 'HR97FIZDxC'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, hciy9U1fMqouS4CXbnu.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OLtk0OPPJp', 'IafkjydZHR', 'BxBkg4w8uL', 'ypHk8SXlTb', 'NybkNYXFB4', 'hfNkHRnqjs', 'Bx7kox48Am'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, pPdWsx11eD9j2f3e7wZ.cs High entropy of concatenated method names: 'ToString', 'QmIkINlAM0', 'r93k21VvJV', 'WmXkQfbhW2', 'S6FkvBEAOX', 'i5Hkq7UfKq', 'T6skKhrp76', 'xjvkDbbgcM', 'zPGFrQIesnxCkOfMAG7', 'dYYEdmIaPShsVNMccI9'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, Nou66DloiqYx4178FS.cs High entropy of concatenated method names: 'MSDG1NOSyn', 'MakGYpXNWM', 'EAmGmjaLgC', 'qhCGpHbQXB', 'ws8Ge8Ymad', 'w3yGW0ykb1', 'bXwGieFxfh', 'CksGVbetye', 'QByGcigtIF', 'GD4GbcTF7P'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, C86G4ZDECc2GTFZTYL.cs High entropy of concatenated method names: 'IdeKpyeZcu', 'OUTKWsnCvs', 'rmLKVFRbem', 'IUPKctApE3', 'i9xK6O5bnJ', 'zx2KBG4H94', 'rk5K7ek2hh', 'dAIKn9wJDG', 'DowKOfdC5A', 'nK3Kk7caqC'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, jZcqeZ3FX7MH3R5KrW.cs High entropy of concatenated method names: 'splOyUZ5jP', 'TFAOIIFlW7', 'XU2O2UIe1t', 'ON4OvjJXAC', 'v9vOqUA5Fy', 'JDSODy7u6T', 'JAqOrYg1OY', 'AANnoSohip', 'KnOnCrWG6l', 'gcpnAYLOHv'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, lfkj82aySIExnQ9DGG.cs High entropy of concatenated method names: 'yNBLVDBZsy', 'KYcLcmjnp5', 'SHsLTmZgSD', 'iqnLxptXkP', 'XapLSs1Lf8', 'PSZL42pGlj', 'RvPLhBkdJF', 'MaXLXClqQo', 'GuSLMcnQtX', 'knvLJBESEZ'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, VeVkon4uYBxlo0Z935.cs High entropy of concatenated method names: 'eLHnTLpuv5', 'WhxnxrhLnB', 'X0EnwoyCJE', 'qfnnS9hIX4', 'hfPn0xInfR', 'fNKn4Fn2eu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, PfY4hhpdWPrhK6QVIP.cs High entropy of concatenated method names: 'T0yGvd8HxM', 'h42GKUxQji', 'EsaGrQVKmn', 'wyjr5tYp4P', 'GltrzVwa1c', 'E2gGsxXlYF', 'EDsGyTOTGs', 'KHOGdwXBQc', 'gfiGIA8qK0', 'OWpG2mk7bN'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, zM8kKvzcu2nNZjrZbk.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YDxOLeArle', 'zqiO6WpSdL', 'QG7OB4fpwW', 'eIbO7HBUhu', 'QCnOnK4lNZ', 'Vu9OOD3WeG', 'm1IOkIRxwR'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, GiwBEN7EoeMMlMNy9T.cs High entropy of concatenated method names: 'AoJyGdlIar', 'l8wyFvoPMS', 'TLLy3fiaVy', 'ic2y98ig4i', 'WyNy6XeVU9', 'FXyyBDyuTD', 'hP0bm0wfSj5VSkCi3K', 'poy3c9sNW1MRT8YYOK', 'c9myydolTV', 'du4yIeB3B4'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, Y6eTJPtAxoYndBNoX2.cs High entropy of concatenated method names: 'MBtrEXUMnE', 'Sicr1pFo2F', 'HjCrmIU44a', 'kAVrpVwko8', 'FVKrWAMvqj', 'n8GriJ4gUQ', 'Llxrc0JH8y', 'xobrbvID7F', 'uKsFxmSdGUHuteDT76d', 'WpMQaJSRZn03nRYxlXB'
Source: 0.2.Payment TT Copy.PDF.exe.41f6e20.4.raw.unpack, mEyRMSiXZwHKbxKOdG.cs High entropy of concatenated method names: 'g1PnvHs4IV', 'fVCnqsHDfu', 'EvVnKBDg3P', 'BdXnDfLfcn', 'j6hnr145Fm', 'SaCnGBc9uV', 'QAKnFWsGZY', 'FdEnPRDMO9', 'XXSn3JYpIn', 'EaWn9CgVcC'
Source: 0.2.Payment TT Copy.PDF.exe.5a00000.5.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Payment TT Copy.PDF.exe.5a00000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Payment TT Copy.PDF.exe.2f7a208.2.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Payment TT Copy.PDF.exe.2f7a208.2.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Payment TT Copy.PDF.exe.2f6d9e0.0.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Payment TT Copy.PDF.exe.2f6d9e0.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, Jom9LF10HHRdVrln7yk.cs High entropy of concatenated method names: 'BDiO17HcrO', 'mdkOY9CXnK', 'DQNOmYDYZD', 'RK1OpGX9Ci', 'W45OeGobun', 'psAOWedCSk', 'Fe8OixokDF', 'a1yOVtHy8c', 'nqEOcSK0Cp', 'Ma6ObbPQa6'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, NynZVPIgXQvWDJeDSi.cs High entropy of concatenated method names: 'lidmYnTf6', 'otWppmljF', 'YqWWVQ3Pn', 'GpWiYAC8D', 'r6wcXGceK', 'SiFb6qp7k', 'aFxNwlMr7Jf8Gwi77y', 'xInqIB8bijPtdX9voa', 'EUYn2YPXp', 'UbdkyiUIc'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, RBypbDhhDrVS7AathM.cs High entropy of concatenated method names: 'K3nIQv2thQ', 'x8lIvmNFDG', 'XFVIq557Ds', 'DgeIKvJoNb', 'eJ5IDMn3xP', 'ergIrtSiFF', 'sTgIGhGX5O', 'Hj7IFbGJZY', 'cWfIP8UP21', 'PyoI35aoFD'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, dMEHjpgLgkpneUikvJ.cs High entropy of concatenated method names: 'aZvq0I5BJS', 'CpFqjBbvuV', 'vZFqgji7in', 'lkrq8flCvc', 'uRlqN9S38I', 'bVaqHN35sI', 'ABqqoTJ6ay', 'fp0qCFYp04', 'GkaqAKYmgT', 'pTGq5oeIy6'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, y9FXtZZQduItxqIplZ.cs High entropy of concatenated method names: 'Gt56M9UMOD', 'zys6RBWZIe', 'EZs60fHqIa', 'M6M6jBP0qA', 'QgS6x5IQhs', 'MSL6woAVYe', 'aRQ6S3KmPl', 'ktC64VVJvY', 'n0b6fXpBtw', 'xq16ht486k'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, xfyPKow3lFF1jNUg6r.cs High entropy of concatenated method names: 'qlg7ChNIVW', 'L2r75OrsaN', 'Jdrnsh41x4', 'c0unygwmuI', 'DgN7J3RMYE', 'QGY7RrpjD5', 'hl37Zkvr4Q', 'PRj70SoaBM', 'Bsj7jlJKca', 'r1m7g1QdKI'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, Qxy3IX6wCrgnogBVFg.cs High entropy of concatenated method names: 'ToString', 'MspBJvJRr7', 'CbRBxM2mFN', 'rULBwpsxZw', 'o3XBSQkpAb', 'r72B4WXYws', 'DQiBfYqPQS', 'vbgBhYqZKB', 'NvOBXJKu2s', 'a23BUqC8uR'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, M6ngbr5bXOptCR8PEO.cs High entropy of concatenated method names: 'cQ6De8le3c', 'khtDipwSEl', 'Kr8Kwls2qK', 'PY5KSq5n42', 'IFdK44s8gf', 'Cb5KfK1fRH', 'KcSKh0AM0B', 'h9SKXBgJc3', 'qrpKU868GE', 'i9bKMt64K5'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, t9tVbiV0uPTUYfS1dW.cs High entropy of concatenated method names: 'VhkrQiEtlO', 'KcLrqvWG3M', 'qfcrDfUAHv', 'qVBrGV512w', 'MSmrFPfg7S', 'vXoDNQatvg', 'tZkDHyVrQv', 'pAqDoGGLo4', 'JaiDCLUTXV', 'SOTDAXui2v'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, eCwvkyYw2voigtMyuf.cs High entropy of concatenated method names: 'Dispose', 's4ZyAPMsJ3', 'QvGdxhFvTk', 'zXCll878ix', 'XXJy5ZA1CU', 'A2cyzvykD0', 'ProcessDialogKey', 'W4adsN6WRk', 'RmVdyp6ID0', 'iujddq2WKO'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, e44qn8M52P8GCkIp9P.cs High entropy of concatenated method names: 'tCH73mH031', 'uUE79kDDow', 'ToString', 'pDE7vr93Te', 'RAe7q2EpmH', 'Xct7KaQxa0', 'eJK7Dpsq6w', 'X2s7r12t5y', 'bOj7GDb6TZ', 'HR97FIZDxC'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, hciy9U1fMqouS4CXbnu.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OLtk0OPPJp', 'IafkjydZHR', 'BxBkg4w8uL', 'ypHk8SXlTb', 'NybkNYXFB4', 'hfNkHRnqjs', 'Bx7kox48Am'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, pPdWsx11eD9j2f3e7wZ.cs High entropy of concatenated method names: 'ToString', 'QmIkINlAM0', 'r93k21VvJV', 'WmXkQfbhW2', 'S6FkvBEAOX', 'i5Hkq7UfKq', 'T6skKhrp76', 'xjvkDbbgcM', 'zPGFrQIesnxCkOfMAG7', 'dYYEdmIaPShsVNMccI9'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, Nou66DloiqYx4178FS.cs High entropy of concatenated method names: 'MSDG1NOSyn', 'MakGYpXNWM', 'EAmGmjaLgC', 'qhCGpHbQXB', 'ws8Ge8Ymad', 'w3yGW0ykb1', 'bXwGieFxfh', 'CksGVbetye', 'QByGcigtIF', 'GD4GbcTF7P'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, C86G4ZDECc2GTFZTYL.cs High entropy of concatenated method names: 'IdeKpyeZcu', 'OUTKWsnCvs', 'rmLKVFRbem', 'IUPKctApE3', 'i9xK6O5bnJ', 'zx2KBG4H94', 'rk5K7ek2hh', 'dAIKn9wJDG', 'DowKOfdC5A', 'nK3Kk7caqC'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, jZcqeZ3FX7MH3R5KrW.cs High entropy of concatenated method names: 'splOyUZ5jP', 'TFAOIIFlW7', 'XU2O2UIe1t', 'ON4OvjJXAC', 'v9vOqUA5Fy', 'JDSODy7u6T', 'JAqOrYg1OY', 'AANnoSohip', 'KnOnCrWG6l', 'gcpnAYLOHv'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, lfkj82aySIExnQ9DGG.cs High entropy of concatenated method names: 'yNBLVDBZsy', 'KYcLcmjnp5', 'SHsLTmZgSD', 'iqnLxptXkP', 'XapLSs1Lf8', 'PSZL42pGlj', 'RvPLhBkdJF', 'MaXLXClqQo', 'GuSLMcnQtX', 'knvLJBESEZ'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, VeVkon4uYBxlo0Z935.cs High entropy of concatenated method names: 'eLHnTLpuv5', 'WhxnxrhLnB', 'X0EnwoyCJE', 'qfnnS9hIX4', 'hfPn0xInfR', 'fNKn4Fn2eu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, PfY4hhpdWPrhK6QVIP.cs High entropy of concatenated method names: 'T0yGvd8HxM', 'h42GKUxQji', 'EsaGrQVKmn', 'wyjr5tYp4P', 'GltrzVwa1c', 'E2gGsxXlYF', 'EDsGyTOTGs', 'KHOGdwXBQc', 'gfiGIA8qK0', 'OWpG2mk7bN'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, zM8kKvzcu2nNZjrZbk.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YDxOLeArle', 'zqiO6WpSdL', 'QG7OB4fpwW', 'eIbO7HBUhu', 'QCnOnK4lNZ', 'Vu9OOD3WeG', 'm1IOkIRxwR'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, GiwBEN7EoeMMlMNy9T.cs High entropy of concatenated method names: 'AoJyGdlIar', 'l8wyFvoPMS', 'TLLy3fiaVy', 'ic2y98ig4i', 'WyNy6XeVU9', 'FXyyBDyuTD', 'hP0bm0wfSj5VSkCi3K', 'poy3c9sNW1MRT8YYOK', 'c9myydolTV', 'du4yIeB3B4'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, Y6eTJPtAxoYndBNoX2.cs High entropy of concatenated method names: 'MBtrEXUMnE', 'Sicr1pFo2F', 'HjCrmIU44a', 'kAVrpVwko8', 'FVKrWAMvqj', 'n8GriJ4gUQ', 'Llxrc0JH8y', 'xobrbvID7F', 'uKsFxmSdGUHuteDT76d', 'WpMQaJSRZn03nRYxlXB'
Source: 0.2.Payment TT Copy.PDF.exe.7f80000.6.raw.unpack, mEyRMSiXZwHKbxKOdG.cs High entropy of concatenated method names: 'g1PnvHs4IV', 'fVCnqsHDfu', 'EvVnKBDg3P', 'BdXnDfLfcn', 'j6hnr145Fm', 'SaCnGBc9uV', 'QAKnFWsGZY', 'FdEnPRDMO9', 'XXSn3JYpIn', 'EaWn9CgVcC'
Source: 0.2.Payment TT Copy.PDF.exe.2fc9a1c.1.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Payment TT Copy.PDF.exe.2fc9a1c.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.Payment TT Copy.PDF.exe.2fbc86c.3.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.Payment TT Copy.PDF.exe.2fbc86c.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Drops PE files
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe File created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp78CA.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: Payment TT Copy.PDF.exe
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Payment TT Copy.PDF.exe PID: 5632, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Memory allocated: 1510000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Memory allocated: 2F30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Memory allocated: 2E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Memory allocated: 8150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Memory allocated: 9150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Memory allocated: 9310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Memory allocated: A310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Memory allocated: 1080000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Memory allocated: 2E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Memory allocated: 4E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Memory allocated: 7B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Memory allocated: 8B60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Memory allocated: 8D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Memory allocated: 9D10000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F6096E rdtsc 13_2_00F6096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2995 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4325 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe API coverage: 0.6 %
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe TID: 2940 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5636 Thread sleep count: 2995 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6052 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2444 Thread sleep count: 87 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1548 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5904 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6772 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe TID: 5812 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe TID: 3300 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe TID: 2940 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Payment TT Copy.PDF.exe, 00000000.00000002.2147183357.0000000007F80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: QEMuI3f6HdgIrd9fgRr
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F6096E rdtsc 13_2_00F6096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00417153 LdrLoadDll, 13_2_00417153
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1C0F0 mov eax, dword ptr fs:[00000030h] 13_2_00F1C0F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F620F0 mov ecx, dword ptr fs:[00000030h] 13_2_00F620F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1A0E3 mov ecx, dword ptr fs:[00000030h] 13_2_00F1A0E3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA60E0 mov eax, dword ptr fs:[00000030h] 13_2_00FA60E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F280E9 mov eax, dword ptr fs:[00000030h] 13_2_00F280E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA20DE mov eax, dword ptr fs:[00000030h] 13_2_00FA20DE
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE60B8 mov eax, dword ptr fs:[00000030h] 13_2_00FE60B8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE60B8 mov ecx, dword ptr fs:[00000030h] 13_2_00FE60B8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F180A0 mov eax, dword ptr fs:[00000030h] 13_2_00F180A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB80A8 mov eax, dword ptr fs:[00000030h] 13_2_00FB80A8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2208A mov eax, dword ptr fs:[00000030h] 13_2_00F2208A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4C073 mov eax, dword ptr fs:[00000030h] 13_2_00F4C073
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F22050 mov eax, dword ptr fs:[00000030h] 13_2_00F22050
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA6050 mov eax, dword ptr fs:[00000030h] 13_2_00FA6050
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB6030 mov eax, dword ptr fs:[00000030h] 13_2_00FB6030
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1A020 mov eax, dword ptr fs:[00000030h] 13_2_00F1A020
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1C020 mov eax, dword ptr fs:[00000030h] 13_2_00F1C020
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3E016 mov eax, dword ptr fs:[00000030h] 13_2_00F3E016
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3E016 mov eax, dword ptr fs:[00000030h] 13_2_00F3E016
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3E016 mov eax, dword ptr fs:[00000030h] 13_2_00F3E016
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3E016 mov eax, dword ptr fs:[00000030h] 13_2_00F3E016
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA4000 mov ecx, dword ptr fs:[00000030h] 13_2_00FA4000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h] 13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h] 13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h] 13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h] 13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h] 13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h] 13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h] 13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC2000 mov eax, dword ptr fs:[00000030h] 13_2_00FC2000
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F501F8 mov eax, dword ptr fs:[00000030h] 13_2_00F501F8
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF61E5 mov eax, dword ptr fs:[00000030h] 13_2_00FF61E5
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E1D0 mov eax, dword ptr fs:[00000030h] 13_2_00F9E1D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E1D0 mov eax, dword ptr fs:[00000030h] 13_2_00F9E1D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E1D0 mov ecx, dword ptr fs:[00000030h] 13_2_00F9E1D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E1D0 mov eax, dword ptr fs:[00000030h] 13_2_00F9E1D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E1D0 mov eax, dword ptr fs:[00000030h] 13_2_00F9E1D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE61C3 mov eax, dword ptr fs:[00000030h] 13_2_00FE61C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE61C3 mov eax, dword ptr fs:[00000030h] 13_2_00FE61C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA019F mov eax, dword ptr fs:[00000030h] 13_2_00FA019F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA019F mov eax, dword ptr fs:[00000030h] 13_2_00FA019F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA019F mov eax, dword ptr fs:[00000030h] 13_2_00FA019F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA019F mov eax, dword ptr fs:[00000030h] 13_2_00FA019F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1A197 mov eax, dword ptr fs:[00000030h] 13_2_00F1A197
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1A197 mov eax, dword ptr fs:[00000030h] 13_2_00F1A197
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1A197 mov eax, dword ptr fs:[00000030h] 13_2_00F1A197
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F60185 mov eax, dword ptr fs:[00000030h] 13_2_00F60185
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FDC188 mov eax, dword ptr fs:[00000030h] 13_2_00FDC188
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FDC188 mov eax, dword ptr fs:[00000030h] 13_2_00FDC188
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC4180 mov eax, dword ptr fs:[00000030h] 13_2_00FC4180
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC4180 mov eax, dword ptr fs:[00000030h] 13_2_00FC4180
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4164 mov eax, dword ptr fs:[00000030h] 13_2_00FF4164
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4164 mov eax, dword ptr fs:[00000030h] 13_2_00FF4164
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB8158 mov eax, dword ptr fs:[00000030h] 13_2_00FB8158
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F26154 mov eax, dword ptr fs:[00000030h] 13_2_00F26154
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F26154 mov eax, dword ptr fs:[00000030h] 13_2_00F26154
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1C156 mov eax, dword ptr fs:[00000030h] 13_2_00F1C156
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB4144 mov eax, dword ptr fs:[00000030h] 13_2_00FB4144
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB4144 mov eax, dword ptr fs:[00000030h] 13_2_00FB4144
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB4144 mov ecx, dword ptr fs:[00000030h] 13_2_00FB4144
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB4144 mov eax, dword ptr fs:[00000030h] 13_2_00FB4144
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB4144 mov eax, dword ptr fs:[00000030h] 13_2_00FB4144
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F50124 mov eax, dword ptr fs:[00000030h] 13_2_00F50124
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCA118 mov ecx, dword ptr fs:[00000030h] 13_2_00FCA118
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCA118 mov eax, dword ptr fs:[00000030h] 13_2_00FCA118
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCA118 mov eax, dword ptr fs:[00000030h] 13_2_00FCA118
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCA118 mov eax, dword ptr fs:[00000030h] 13_2_00FCA118
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE0115 mov eax, dword ptr fs:[00000030h] 13_2_00FE0115
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h] 13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE10E mov ecx, dword ptr fs:[00000030h] 13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h] 13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h] 13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE10E mov ecx, dword ptr fs:[00000030h] 13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h] 13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h] 13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE10E mov ecx, dword ptr fs:[00000030h] 13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE10E mov eax, dword ptr fs:[00000030h] 13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE10E mov ecx, dword ptr fs:[00000030h] 13_2_00FCE10E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F302E1 mov eax, dword ptr fs:[00000030h] 13_2_00F302E1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F302E1 mov eax, dword ptr fs:[00000030h] 13_2_00F302E1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F302E1 mov eax, dword ptr fs:[00000030h] 13_2_00F302E1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF62D6 mov eax, dword ptr fs:[00000030h] 13_2_00FF62D6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A2C3 mov eax, dword ptr fs:[00000030h] 13_2_00F2A2C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A2C3 mov eax, dword ptr fs:[00000030h] 13_2_00F2A2C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A2C3 mov eax, dword ptr fs:[00000030h] 13_2_00F2A2C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A2C3 mov eax, dword ptr fs:[00000030h] 13_2_00F2A2C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A2C3 mov eax, dword ptr fs:[00000030h] 13_2_00F2A2C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB62A0 mov eax, dword ptr fs:[00000030h] 13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB62A0 mov ecx, dword ptr fs:[00000030h] 13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB62A0 mov eax, dword ptr fs:[00000030h] 13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB62A0 mov eax, dword ptr fs:[00000030h] 13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB62A0 mov eax, dword ptr fs:[00000030h] 13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB62A0 mov eax, dword ptr fs:[00000030h] 13_2_00FB62A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E284 mov eax, dword ptr fs:[00000030h] 13_2_00F5E284
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E284 mov eax, dword ptr fs:[00000030h] 13_2_00F5E284
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA0283 mov eax, dword ptr fs:[00000030h] 13_2_00FA0283
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA0283 mov eax, dword ptr fs:[00000030h] 13_2_00FA0283
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA0283 mov eax, dword ptr fs:[00000030h] 13_2_00FA0283
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD0274 mov eax, dword ptr fs:[00000030h] 13_2_00FD0274
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F24260 mov eax, dword ptr fs:[00000030h] 13_2_00F24260
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F24260 mov eax, dword ptr fs:[00000030h] 13_2_00F24260
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F24260 mov eax, dword ptr fs:[00000030h] 13_2_00F24260
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1826B mov eax, dword ptr fs:[00000030h] 13_2_00F1826B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1A250 mov eax, dword ptr fs:[00000030h] 13_2_00F1A250
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF625D mov eax, dword ptr fs:[00000030h] 13_2_00FF625D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F26259 mov eax, dword ptr fs:[00000030h] 13_2_00F26259
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FDA250 mov eax, dword ptr fs:[00000030h] 13_2_00FDA250
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FDA250 mov eax, dword ptr fs:[00000030h] 13_2_00FDA250
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA8243 mov eax, dword ptr fs:[00000030h] 13_2_00FA8243
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA8243 mov ecx, dword ptr fs:[00000030h] 13_2_00FA8243
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1823B mov eax, dword ptr fs:[00000030h] 13_2_00F1823B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3E3F0 mov eax, dword ptr fs:[00000030h] 13_2_00F3E3F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3E3F0 mov eax, dword ptr fs:[00000030h] 13_2_00F3E3F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3E3F0 mov eax, dword ptr fs:[00000030h] 13_2_00F3E3F0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F563FF mov eax, dword ptr fs:[00000030h] 13_2_00F563FF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h] 13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h] 13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h] 13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h] 13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h] 13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h] 13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h] 13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F303E9 mov eax, dword ptr fs:[00000030h] 13_2_00F303E9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE3DB mov eax, dword ptr fs:[00000030h] 13_2_00FCE3DB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE3DB mov eax, dword ptr fs:[00000030h] 13_2_00FCE3DB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE3DB mov ecx, dword ptr fs:[00000030h] 13_2_00FCE3DB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCE3DB mov eax, dword ptr fs:[00000030h] 13_2_00FCE3DB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC43D4 mov eax, dword ptr fs:[00000030h] 13_2_00FC43D4
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC43D4 mov eax, dword ptr fs:[00000030h] 13_2_00FC43D4
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FDC3CD mov eax, dword ptr fs:[00000030h] 13_2_00FDC3CD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A3C0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A3C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F283C0 mov eax, dword ptr fs:[00000030h] 13_2_00F283C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F283C0 mov eax, dword ptr fs:[00000030h] 13_2_00F283C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F283C0 mov eax, dword ptr fs:[00000030h] 13_2_00F283C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F283C0 mov eax, dword ptr fs:[00000030h] 13_2_00F283C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA63C0 mov eax, dword ptr fs:[00000030h] 13_2_00FA63C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F18397 mov eax, dword ptr fs:[00000030h] 13_2_00F18397
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F18397 mov eax, dword ptr fs:[00000030h] 13_2_00F18397
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F18397 mov eax, dword ptr fs:[00000030h] 13_2_00F18397
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1E388 mov eax, dword ptr fs:[00000030h] 13_2_00F1E388
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1E388 mov eax, dword ptr fs:[00000030h] 13_2_00F1E388
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1E388 mov eax, dword ptr fs:[00000030h] 13_2_00F1E388
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4438F mov eax, dword ptr fs:[00000030h] 13_2_00F4438F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4438F mov eax, dword ptr fs:[00000030h] 13_2_00F4438F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC437C mov eax, dword ptr fs:[00000030h] 13_2_00FC437C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA035C mov eax, dword ptr fs:[00000030h] 13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA035C mov eax, dword ptr fs:[00000030h] 13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA035C mov eax, dword ptr fs:[00000030h] 13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA035C mov ecx, dword ptr fs:[00000030h] 13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA035C mov eax, dword ptr fs:[00000030h] 13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA035C mov eax, dword ptr fs:[00000030h] 13_2_00FA035C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEA352 mov eax, dword ptr fs:[00000030h] 13_2_00FEA352
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC8350 mov ecx, dword ptr fs:[00000030h] 13_2_00FC8350
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF634F mov eax, dword ptr fs:[00000030h] 13_2_00FF634F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA2349 mov eax, dword ptr fs:[00000030h] 13_2_00FA2349
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF8324 mov eax, dword ptr fs:[00000030h] 13_2_00FF8324
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF8324 mov ecx, dword ptr fs:[00000030h] 13_2_00FF8324
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF8324 mov eax, dword ptr fs:[00000030h] 13_2_00FF8324
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF8324 mov eax, dword ptr fs:[00000030h] 13_2_00FF8324
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1C310 mov ecx, dword ptr fs:[00000030h] 13_2_00F1C310
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F40310 mov ecx, dword ptr fs:[00000030h] 13_2_00F40310
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A30B mov eax, dword ptr fs:[00000030h] 13_2_00F5A30B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A30B mov eax, dword ptr fs:[00000030h] 13_2_00F5A30B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A30B mov eax, dword ptr fs:[00000030h] 13_2_00F5A30B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F204E5 mov ecx, dword ptr fs:[00000030h] 13_2_00F204E5
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F544B0 mov ecx, dword ptr fs:[00000030h] 13_2_00F544B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAA4B0 mov eax, dword ptr fs:[00000030h] 13_2_00FAA4B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F264AB mov eax, dword ptr fs:[00000030h] 13_2_00F264AB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FDA49A mov eax, dword ptr fs:[00000030h] 13_2_00FDA49A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4A470 mov eax, dword ptr fs:[00000030h] 13_2_00F4A470
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4A470 mov eax, dword ptr fs:[00000030h] 13_2_00F4A470
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4A470 mov eax, dword ptr fs:[00000030h] 13_2_00F4A470
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAC460 mov ecx, dword ptr fs:[00000030h] 13_2_00FAC460
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FDA456 mov eax, dword ptr fs:[00000030h] 13_2_00FDA456
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1645D mov eax, dword ptr fs:[00000030h] 13_2_00F1645D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4245A mov eax, dword ptr fs:[00000030h] 13_2_00F4245A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h] 13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h] 13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h] 13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h] 13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h] 13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h] 13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h] 13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E443 mov eax, dword ptr fs:[00000030h] 13_2_00F5E443
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A430 mov eax, dword ptr fs:[00000030h] 13_2_00F5A430
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1E420 mov eax, dword ptr fs:[00000030h] 13_2_00F1E420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1E420 mov eax, dword ptr fs:[00000030h] 13_2_00F1E420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1E420 mov eax, dword ptr fs:[00000030h] 13_2_00F1E420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1C427 mov eax, dword ptr fs:[00000030h] 13_2_00F1C427
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h] 13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h] 13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h] 13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h] 13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h] 13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h] 13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA6420 mov eax, dword ptr fs:[00000030h] 13_2_00FA6420
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F58402 mov eax, dword ptr fs:[00000030h] 13_2_00F58402
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F58402 mov eax, dword ptr fs:[00000030h] 13_2_00F58402
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F58402 mov eax, dword ptr fs:[00000030h] 13_2_00F58402
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F225E0 mov eax, dword ptr fs:[00000030h] 13_2_00F225E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h] 13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h] 13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h] 13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h] 13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h] 13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h] 13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h] 13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E5E7 mov eax, dword ptr fs:[00000030h] 13_2_00F4E5E7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5C5ED mov eax, dword ptr fs:[00000030h] 13_2_00F5C5ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5C5ED mov eax, dword ptr fs:[00000030h] 13_2_00F5C5ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F265D0 mov eax, dword ptr fs:[00000030h] 13_2_00F265D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A5D0 mov eax, dword ptr fs:[00000030h] 13_2_00F5A5D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A5D0 mov eax, dword ptr fs:[00000030h] 13_2_00F5A5D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E5CF mov eax, dword ptr fs:[00000030h] 13_2_00F5E5CF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E5CF mov eax, dword ptr fs:[00000030h] 13_2_00F5E5CF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F445B1 mov eax, dword ptr fs:[00000030h] 13_2_00F445B1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F445B1 mov eax, dword ptr fs:[00000030h] 13_2_00F445B1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA05A7 mov eax, dword ptr fs:[00000030h] 13_2_00FA05A7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA05A7 mov eax, dword ptr fs:[00000030h] 13_2_00FA05A7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA05A7 mov eax, dword ptr fs:[00000030h] 13_2_00FA05A7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5E59C mov eax, dword ptr fs:[00000030h] 13_2_00F5E59C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F22582 mov eax, dword ptr fs:[00000030h] 13_2_00F22582
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F22582 mov ecx, dword ptr fs:[00000030h] 13_2_00F22582
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F54588 mov eax, dword ptr fs:[00000030h] 13_2_00F54588
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5656A mov eax, dword ptr fs:[00000030h] 13_2_00F5656A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5656A mov eax, dword ptr fs:[00000030h] 13_2_00F5656A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5656A mov eax, dword ptr fs:[00000030h] 13_2_00F5656A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F28550 mov eax, dword ptr fs:[00000030h] 13_2_00F28550
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F28550 mov eax, dword ptr fs:[00000030h] 13_2_00F28550
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h] 13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h] 13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h] 13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h] 13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h] 13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30535 mov eax, dword ptr fs:[00000030h] 13_2_00F30535
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E53E mov eax, dword ptr fs:[00000030h] 13_2_00F4E53E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E53E mov eax, dword ptr fs:[00000030h] 13_2_00F4E53E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E53E mov eax, dword ptr fs:[00000030h] 13_2_00F4E53E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E53E mov eax, dword ptr fs:[00000030h] 13_2_00F4E53E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E53E mov eax, dword ptr fs:[00000030h] 13_2_00F4E53E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB6500 mov eax, dword ptr fs:[00000030h] 13_2_00FB6500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h] 13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h] 13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h] 13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h] 13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h] 13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h] 13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4500 mov eax, dword ptr fs:[00000030h] 13_2_00FF4500
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E6F2 mov eax, dword ptr fs:[00000030h] 13_2_00F9E6F2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E6F2 mov eax, dword ptr fs:[00000030h] 13_2_00F9E6F2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E6F2 mov eax, dword ptr fs:[00000030h] 13_2_00F9E6F2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E6F2 mov eax, dword ptr fs:[00000030h] 13_2_00F9E6F2
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA06F1 mov eax, dword ptr fs:[00000030h] 13_2_00FA06F1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA06F1 mov eax, dword ptr fs:[00000030h] 13_2_00FA06F1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A6C7 mov ebx, dword ptr fs:[00000030h] 13_2_00F5A6C7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A6C7 mov eax, dword ptr fs:[00000030h] 13_2_00F5A6C7
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F566B0 mov eax, dword ptr fs:[00000030h] 13_2_00F566B0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5C6A6 mov eax, dword ptr fs:[00000030h] 13_2_00F5C6A6
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F24690 mov eax, dword ptr fs:[00000030h] 13_2_00F24690
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F24690 mov eax, dword ptr fs:[00000030h] 13_2_00F24690
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F52674 mov eax, dword ptr fs:[00000030h] 13_2_00F52674
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE866E mov eax, dword ptr fs:[00000030h] 13_2_00FE866E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE866E mov eax, dword ptr fs:[00000030h] 13_2_00FE866E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A660 mov eax, dword ptr fs:[00000030h] 13_2_00F5A660
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A660 mov eax, dword ptr fs:[00000030h] 13_2_00F5A660
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3C640 mov eax, dword ptr fs:[00000030h] 13_2_00F3C640
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3E627 mov eax, dword ptr fs:[00000030h] 13_2_00F3E627
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F56620 mov eax, dword ptr fs:[00000030h] 13_2_00F56620
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F58620 mov eax, dword ptr fs:[00000030h] 13_2_00F58620
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2262C mov eax, dword ptr fs:[00000030h] 13_2_00F2262C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62619 mov eax, dword ptr fs:[00000030h] 13_2_00F62619
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E609 mov eax, dword ptr fs:[00000030h] 13_2_00F9E609
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h] 13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h] 13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h] 13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h] 13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h] 13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h] 13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F3260B mov eax, dword ptr fs:[00000030h] 13_2_00F3260B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F247FB mov eax, dword ptr fs:[00000030h] 13_2_00F247FB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F247FB mov eax, dword ptr fs:[00000030h] 13_2_00F247FB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F427ED mov eax, dword ptr fs:[00000030h] 13_2_00F427ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F427ED mov eax, dword ptr fs:[00000030h] 13_2_00F427ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F427ED mov eax, dword ptr fs:[00000030h] 13_2_00F427ED
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAE7E1 mov eax, dword ptr fs:[00000030h] 13_2_00FAE7E1
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2C7C0 mov eax, dword ptr fs:[00000030h] 13_2_00F2C7C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA07C3 mov eax, dword ptr fs:[00000030h] 13_2_00FA07C3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F207AF mov eax, dword ptr fs:[00000030h] 13_2_00F207AF
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD47A0 mov eax, dword ptr fs:[00000030h] 13_2_00FD47A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC678E mov eax, dword ptr fs:[00000030h] 13_2_00FC678E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F28770 mov eax, dword ptr fs:[00000030h] 13_2_00F28770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30770 mov eax, dword ptr fs:[00000030h] 13_2_00F30770
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F20750 mov eax, dword ptr fs:[00000030h] 13_2_00F20750
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62750 mov eax, dword ptr fs:[00000030h] 13_2_00F62750
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F62750 mov eax, dword ptr fs:[00000030h] 13_2_00F62750
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAE75D mov eax, dword ptr fs:[00000030h] 13_2_00FAE75D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA4755 mov eax, dword ptr fs:[00000030h] 13_2_00FA4755
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5674D mov esi, dword ptr fs:[00000030h] 13_2_00F5674D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5674D mov eax, dword ptr fs:[00000030h] 13_2_00F5674D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5674D mov eax, dword ptr fs:[00000030h] 13_2_00F5674D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5273C mov eax, dword ptr fs:[00000030h] 13_2_00F5273C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5273C mov ecx, dword ptr fs:[00000030h] 13_2_00F5273C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5273C mov eax, dword ptr fs:[00000030h] 13_2_00F5273C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9C730 mov eax, dword ptr fs:[00000030h] 13_2_00F9C730
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5C720 mov eax, dword ptr fs:[00000030h] 13_2_00F5C720
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5C720 mov eax, dword ptr fs:[00000030h] 13_2_00F5C720
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F20710 mov eax, dword ptr fs:[00000030h] 13_2_00F20710
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F50710 mov eax, dword ptr fs:[00000030h] 13_2_00F50710
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5C700 mov eax, dword ptr fs:[00000030h] 13_2_00F5C700
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5C8F9 mov eax, dword ptr fs:[00000030h] 13_2_00F5C8F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5C8F9 mov eax, dword ptr fs:[00000030h] 13_2_00F5C8F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEA8E4 mov eax, dword ptr fs:[00000030h] 13_2_00FEA8E4
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4E8C0 mov eax, dword ptr fs:[00000030h] 13_2_00F4E8C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF08C0 mov eax, dword ptr fs:[00000030h] 13_2_00FF08C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAC89D mov eax, dword ptr fs:[00000030h] 13_2_00FAC89D
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F20887 mov eax, dword ptr fs:[00000030h] 13_2_00F20887
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAE872 mov eax, dword ptr fs:[00000030h] 13_2_00FAE872
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAE872 mov eax, dword ptr fs:[00000030h] 13_2_00FAE872
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB6870 mov eax, dword ptr fs:[00000030h] 13_2_00FB6870
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB6870 mov eax, dword ptr fs:[00000030h] 13_2_00FB6870
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F50854 mov eax, dword ptr fs:[00000030h] 13_2_00F50854
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F24859 mov eax, dword ptr fs:[00000030h] 13_2_00F24859
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F24859 mov eax, dword ptr fs:[00000030h] 13_2_00F24859
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F32840 mov ecx, dword ptr fs:[00000030h] 13_2_00F32840
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F42835 mov eax, dword ptr fs:[00000030h] 13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F42835 mov eax, dword ptr fs:[00000030h] 13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F42835 mov eax, dword ptr fs:[00000030h] 13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F42835 mov ecx, dword ptr fs:[00000030h] 13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F42835 mov eax, dword ptr fs:[00000030h] 13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F42835 mov eax, dword ptr fs:[00000030h] 13_2_00F42835
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5A830 mov eax, dword ptr fs:[00000030h] 13_2_00F5A830
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC483A mov eax, dword ptr fs:[00000030h] 13_2_00FC483A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC483A mov eax, dword ptr fs:[00000030h] 13_2_00FC483A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAC810 mov eax, dword ptr fs:[00000030h] 13_2_00FAC810
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F529F9 mov eax, dword ptr fs:[00000030h] 13_2_00F529F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F529F9 mov eax, dword ptr fs:[00000030h] 13_2_00F529F9
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAE9E0 mov eax, dword ptr fs:[00000030h] 13_2_00FAE9E0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2A9D0 mov eax, dword ptr fs:[00000030h] 13_2_00F2A9D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F549D0 mov eax, dword ptr fs:[00000030h] 13_2_00F549D0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEA9D3 mov eax, dword ptr fs:[00000030h] 13_2_00FEA9D3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB69C0 mov eax, dword ptr fs:[00000030h] 13_2_00FB69C0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA89B3 mov esi, dword ptr fs:[00000030h] 13_2_00FA89B3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA89B3 mov eax, dword ptr fs:[00000030h] 13_2_00FA89B3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA89B3 mov eax, dword ptr fs:[00000030h] 13_2_00FA89B3
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F329A0 mov eax, dword ptr fs:[00000030h] 13_2_00F329A0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F209AD mov eax, dword ptr fs:[00000030h] 13_2_00F209AD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F209AD mov eax, dword ptr fs:[00000030h] 13_2_00F209AD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC4978 mov eax, dword ptr fs:[00000030h] 13_2_00FC4978
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC4978 mov eax, dword ptr fs:[00000030h] 13_2_00FC4978
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAC97C mov eax, dword ptr fs:[00000030h] 13_2_00FAC97C
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F46962 mov eax, dword ptr fs:[00000030h] 13_2_00F46962
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F46962 mov eax, dword ptr fs:[00000030h] 13_2_00F46962
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F46962 mov eax, dword ptr fs:[00000030h] 13_2_00F46962
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F6096E mov eax, dword ptr fs:[00000030h] 13_2_00F6096E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F6096E mov edx, dword ptr fs:[00000030h] 13_2_00F6096E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F6096E mov eax, dword ptr fs:[00000030h] 13_2_00F6096E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA0946 mov eax, dword ptr fs:[00000030h] 13_2_00FA0946
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4940 mov eax, dword ptr fs:[00000030h] 13_2_00FF4940
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FA892A mov eax, dword ptr fs:[00000030h] 13_2_00FA892A
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB892B mov eax, dword ptr fs:[00000030h] 13_2_00FB892B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FAC912 mov eax, dword ptr fs:[00000030h] 13_2_00FAC912
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F18918 mov eax, dword ptr fs:[00000030h] 13_2_00F18918
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F18918 mov eax, dword ptr fs:[00000030h] 13_2_00F18918
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E908 mov eax, dword ptr fs:[00000030h] 13_2_00F9E908
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9E908 mov eax, dword ptr fs:[00000030h] 13_2_00F9E908
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5AAEE mov eax, dword ptr fs:[00000030h] 13_2_00F5AAEE
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5AAEE mov eax, dword ptr fs:[00000030h] 13_2_00F5AAEE
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F20AD0 mov eax, dword ptr fs:[00000030h] 13_2_00F20AD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F54AD0 mov eax, dword ptr fs:[00000030h] 13_2_00F54AD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F54AD0 mov eax, dword ptr fs:[00000030h] 13_2_00F54AD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F76ACC mov eax, dword ptr fs:[00000030h] 13_2_00F76ACC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F76ACC mov eax, dword ptr fs:[00000030h] 13_2_00F76ACC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F76ACC mov eax, dword ptr fs:[00000030h] 13_2_00F76ACC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F28AA0 mov eax, dword ptr fs:[00000030h] 13_2_00F28AA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F28AA0 mov eax, dword ptr fs:[00000030h] 13_2_00F28AA0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F76AA4 mov eax, dword ptr fs:[00000030h] 13_2_00F76AA4
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F58A90 mov edx, dword ptr fs:[00000030h] 13_2_00F58A90
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h] 13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h] 13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h] 13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h] 13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h] 13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h] 13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h] 13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h] 13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F2EA80 mov eax, dword ptr fs:[00000030h] 13_2_00F2EA80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF4A80 mov eax, dword ptr fs:[00000030h] 13_2_00FF4A80
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9CA72 mov eax, dword ptr fs:[00000030h] 13_2_00F9CA72
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9CA72 mov eax, dword ptr fs:[00000030h] 13_2_00F9CA72
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5CA6F mov eax, dword ptr fs:[00000030h] 13_2_00F5CA6F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5CA6F mov eax, dword ptr fs:[00000030h] 13_2_00F5CA6F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5CA6F mov eax, dword ptr fs:[00000030h] 13_2_00F5CA6F
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCEA60 mov eax, dword ptr fs:[00000030h] 13_2_00FCEA60
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h] 13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h] 13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h] 13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h] 13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h] 13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h] 13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F26A50 mov eax, dword ptr fs:[00000030h] 13_2_00F26A50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30A5B mov eax, dword ptr fs:[00000030h] 13_2_00F30A5B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30A5B mov eax, dword ptr fs:[00000030h] 13_2_00F30A5B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F44A35 mov eax, dword ptr fs:[00000030h] 13_2_00F44A35
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F44A35 mov eax, dword ptr fs:[00000030h] 13_2_00F44A35
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5CA38 mov eax, dword ptr fs:[00000030h] 13_2_00F5CA38
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F5CA24 mov eax, dword ptr fs:[00000030h] 13_2_00F5CA24
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4EA2E mov eax, dword ptr fs:[00000030h] 13_2_00F4EA2E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FACA11 mov eax, dword ptr fs:[00000030h] 13_2_00FACA11
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F28BF0 mov eax, dword ptr fs:[00000030h] 13_2_00F28BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F28BF0 mov eax, dword ptr fs:[00000030h] 13_2_00F28BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F28BF0 mov eax, dword ptr fs:[00000030h] 13_2_00F28BF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4EBFC mov eax, dword ptr fs:[00000030h] 13_2_00F4EBFC
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FACBF0 mov eax, dword ptr fs:[00000030h] 13_2_00FACBF0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCEBD0 mov eax, dword ptr fs:[00000030h] 13_2_00FCEBD0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F40BCB mov eax, dword ptr fs:[00000030h] 13_2_00F40BCB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F40BCB mov eax, dword ptr fs:[00000030h] 13_2_00F40BCB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F40BCB mov eax, dword ptr fs:[00000030h] 13_2_00F40BCB
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F20BCD mov eax, dword ptr fs:[00000030h] 13_2_00F20BCD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F20BCD mov eax, dword ptr fs:[00000030h] 13_2_00F20BCD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F20BCD mov eax, dword ptr fs:[00000030h] 13_2_00F20BCD
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30BBE mov eax, dword ptr fs:[00000030h] 13_2_00F30BBE
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F30BBE mov eax, dword ptr fs:[00000030h] 13_2_00F30BBE
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD4BB0 mov eax, dword ptr fs:[00000030h] 13_2_00FD4BB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD4BB0 mov eax, dword ptr fs:[00000030h] 13_2_00FD4BB0
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F1CB7E mov eax, dword ptr fs:[00000030h] 13_2_00F1CB7E
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F18B50 mov eax, dword ptr fs:[00000030h] 13_2_00F18B50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF2B57 mov eax, dword ptr fs:[00000030h] 13_2_00FF2B57
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF2B57 mov eax, dword ptr fs:[00000030h] 13_2_00FF2B57
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF2B57 mov eax, dword ptr fs:[00000030h] 13_2_00FF2B57
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FF2B57 mov eax, dword ptr fs:[00000030h] 13_2_00FF2B57
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FCEB50 mov eax, dword ptr fs:[00000030h] 13_2_00FCEB50
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD4B4B mov eax, dword ptr fs:[00000030h] 13_2_00FD4B4B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FD4B4B mov eax, dword ptr fs:[00000030h] 13_2_00FD4B4B
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB6B40 mov eax, dword ptr fs:[00000030h] 13_2_00FB6B40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FB6B40 mov eax, dword ptr fs:[00000030h] 13_2_00FB6B40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FEAB40 mov eax, dword ptr fs:[00000030h] 13_2_00FEAB40
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FC8B42 mov eax, dword ptr fs:[00000030h] 13_2_00FC8B42
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4EB20 mov eax, dword ptr fs:[00000030h] 13_2_00F4EB20
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F4EB20 mov eax, dword ptr fs:[00000030h] 13_2_00F4EB20
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE8B28 mov eax, dword ptr fs:[00000030h] 13_2_00FE8B28
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00FE8B28 mov eax, dword ptr fs:[00000030h] 13_2_00FE8B28
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Code function: 13_2_00F9EB1D mov eax, dword ptr fs:[00000030h] 13_2_00F9EB1D
Enables debug privileges
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe"
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Memory written: C:\Users\user\Desktop\Payment TT Copy.PDF.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Memory written: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp78CA.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Process created: C:\Users\user\Desktop\Payment TT Copy.PDF.exe "C:\Users\user\Desktop\Payment TT Copy.PDF.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VajtonZVfAG" /XML "C:\Users\user\AppData\Local\Temp\tmp91A1.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Process created: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe "C:\Users\user\AppData\Roaming\VajtonZVfAG.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Queries volume information: C:\Users\user\Desktop\Payment TT Copy.PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Queries volume information: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\VajtonZVfAG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment TT Copy.PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 13.2.Payment TT Copy.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.Payment TT Copy.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.2166748571.0000000000BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2165031131.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1519410 Sample: Payment TT Copy.PDF.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Sigma detected: Scheduled temp file as task from temp location 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 11 other signatures 2->52 7 Payment TT Copy.PDF.exe 7 2->7         started        11 VajtonZVfAG.exe 5 2->11         started        process3 file4 38 C:\Users\user\AppData\...\VajtonZVfAG.exe, PE32 7->38 dropped 40 C:\Users\...\VajtonZVfAG.exe:Zone.Identifier, ASCII 7->40 dropped 42 C:\Users\user\AppData\Local\...\tmp78CA.tmp, XML 7->42 dropped 44 C:\Users\user\...\Payment TT Copy.PDF.exe.log, ASCII 7->44 dropped 54 Adds a directory exclusion to Windows Defender 7->54 56 Injects a PE file into a foreign processes 7->56 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        26 6 other processes 7->26 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 20 schtasks.exe 1 11->20         started        22 VajtonZVfAG.exe 11->22         started        24 VajtonZVfAG.exe 11->24         started        signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 28 WmiPrvSE.exe 13->28         started        30 conhost.exe 13->30         started        32 conhost.exe 16->32         started        34 conhost.exe 18->34         started        36 conhost.exe 20->36         started        process8
No contacted IP infos