Windows Analysis Report
Payment Advice D 0024679526 3930.exe

Overview

General Information

Sample name: Payment Advice D 0024679526 3930.exe
Analysis ID: 1562305
MD5: dcd730d80c1a49c81b02eb90b5f9c4a6
SHA1: 6fd7cf911360120f2af050611ac416045ac74c1b
SHA256: fbc1981c8c4b453464e63ea2155aa74d2e6e6da1fd3268fd8b45e16c1d2bd0d2
Tags: exeuser-adrian__luca
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Payment Advice D 0024679526 3930.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Avira: detection malicious, Label: HEUR/AGEN.1306899
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: Payment Advice D 0024679526 3930.exe ReversingLabs: Detection: 65%
Yara detected FormBook
Source: Yara match File source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2051506535.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Payment Advice D 0024679526 3930.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Payment Advice D 0024679526 3930.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Payment Advice D 0024679526 3930.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: Payment Advice D 0024679526 3930.exe, 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Payment Advice D 0024679526 3930.exe, Payment Advice D 0024679526 3930.exe, 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1756504603.00000000031AB000.00000004.00000800.00020000.00000000.sdmp, OyXCaSLaAXfAKx.exe, 00000009.00000002.1972391149.000000000302B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763983978.00000000072B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2051506535.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment Advice D 0024679526 3930.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0042C713 NtClose, 8_2_0042C713
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_01622DF0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_01622C70
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016235C0 NtCreateMutant,LdrInitializeThunk, 8_2_016235C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01624340 NtSetContextThread, 8_2_01624340
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01624650 NtSuspendThread, 8_2_01624650
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622B60 NtClose, 8_2_01622B60
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622BE0 NtQueryValueKey, 8_2_01622BE0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622BF0 NtAllocateVirtualMemory, 8_2_01622BF0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622BA0 NtEnumerateValueKey, 8_2_01622BA0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622B80 NtQueryInformationFile, 8_2_01622B80
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622AF0 NtWriteFile, 8_2_01622AF0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622AD0 NtReadFile, 8_2_01622AD0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622AB0 NtWaitForSingleObject, 8_2_01622AB0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622D30 NtUnmapViewOfSection, 8_2_01622D30
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622D00 NtSetInformationFile, 8_2_01622D00
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622D10 NtMapViewOfSection, 8_2_01622D10
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622DD0 NtDelayExecution, 8_2_01622DD0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622DB0 NtEnumerateKey, 8_2_01622DB0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622C60 NtCreateKey, 8_2_01622C60
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622C00 NtQueryInformationProcess, 8_2_01622C00
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622CF0 NtOpenProcess, 8_2_01622CF0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622CC0 NtQueryVirtualMemory, 8_2_01622CC0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622CA0 NtQueryInformationToken, 8_2_01622CA0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622F60 NtCreateProcessEx, 8_2_01622F60
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622F30 NtCreateSection, 8_2_01622F30
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622FE0 NtCreateFile, 8_2_01622FE0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622FA0 NtQuerySection, 8_2_01622FA0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622FB0 NtResumeThread, 8_2_01622FB0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622F90 NtProtectVirtualMemory, 8_2_01622F90
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622E30 NtWriteVirtualMemory, 8_2_01622E30
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622EE0 NtQueueApcThread, 8_2_01622EE0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622EA0 NtAdjustPrivilegesToken, 8_2_01622EA0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622E80 NtReadVirtualMemory, 8_2_01622E80
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01623010 NtOpenDirectoryObject, 8_2_01623010
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01623090 NtSetValueKey, 8_2_01623090
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016239B0 NtGetContextThread, 8_2_016239B0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01623D70 NtOpenThread, 8_2_01623D70
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01623D10 NtOpenProcessToken, 8_2_01623D10
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 0_2_0559D51C 0_2_0559D51C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 0_2_079FD0C0 0_2_079FD0C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 0_2_079F57E0 0_2_079F57E0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 0_2_079F539B 0_2_079F539B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 0_2_079F53A8 0_2_079F53A8
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 0_2_079F7358 0_2_079F7358
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 0_2_079F5C18 0_2_079F5C18
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 0_2_079F0948 0_2_079F0948
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 0_2_079F7868 0_2_079F7868
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_00403040 8_2_00403040
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0041694E 8_2_0041694E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_00416953 8_2_00416953
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0040E153 8_2_0040E153
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_00410173 8_2_00410173
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_00401210 8_2_00401210
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0040E297 8_2_0040E297
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0040E2A3 8_2_0040E2A3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_00402440 8_2_00402440
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0040243B 8_2_0040243B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0042ED23 8_2_0042ED23
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0040FF53 8_2_0040FF53
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_004027A0 8_2_004027A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01678158 8_2_01678158
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E0100 8_2_015E0100
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168A118 8_2_0168A118
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A81CC 8_2_016A81CC
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B01AA 8_2_016B01AA
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A41A2 8_2_016A41A2
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01682000 8_2_01682000
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AA352 8_2_016AA352
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B03E6 8_2_016B03E6
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FE3F0 8_2_015FE3F0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016702C0 8_2_016702C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0535 8_2_015F0535
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B0591 8_2_016B0591
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A2446 8_2_016A2446
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01694420 8_2_01694420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0169E4F6 8_2_0169E4F6
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01614750 8_2_01614750
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EC7C0 8_2_015EC7C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160C6E0 8_2_0160C6E0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01606962 8_2_01606962
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016BA9A6 8_2_016BA9A6
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F2840 8_2_015F2840
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FA840 8_2_015FA840
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E8F0 8_2_0161E8F0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D68B8 8_2_015D68B8
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AAB40 8_2_016AAB40
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A6BD7 8_2_016A6BD7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EEA80 8_2_015EEA80
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FAD00 8_2_015FAD00
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168CD1F 8_2_0168CD1F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EADE0 8_2_015EADE0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01608DBF 8_2_01608DBF
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0C00 8_2_015F0C00
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E0CF2 8_2_015E0CF2
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690CB5 8_2_01690CB5
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01664F40 8_2_01664F40
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01632F28 8_2_01632F28
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01610F30 8_2_01610F30
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01692F30 8_2_01692F30
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E2FC8 8_2_015E2FC8
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166EFA0 8_2_0166EFA0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0E59 8_2_015F0E59
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AEE26 8_2_016AEE26
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AEEDB 8_2_016AEEDB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01602E90 8_2_01602E90
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016ACE93 8_2_016ACE93
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016BB16B 8_2_016BB16B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0162516C 8_2_0162516C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DF172 8_2_015DF172
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FB1B0 8_2_015FB1B0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A70E9 8_2_016A70E9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AF0E0 8_2_016AF0E0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F70C0 8_2_015F70C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0169F0CC 8_2_0169F0CC
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DD34C 8_2_015DD34C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A132D 8_2_016A132D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0163739A 8_2_0163739A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016912ED 8_2_016912ED
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160B2C0 8_2_0160B2C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F52A0 8_2_015F52A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A7571 8_2_016A7571
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B95C3 8_2_016B95C3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168D5B0 8_2_0168D5B0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E1460 8_2_015E1460
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AF43F 8_2_016AF43F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AF7B0 8_2_016AF7B0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01635630 8_2_01635630
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A16CC 8_2_016A16CC
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F9950 8_2_015F9950
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160B950 8_2_0160B950
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01685910 8_2_01685910
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165D800 8_2_0165D800
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F38E0 8_2_015F38E0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AFB76 8_2_016AFB76
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01665BF0 8_2_01665BF0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0162DBF9 8_2_0162DBF9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160FB80 8_2_0160FB80
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01663A6C 8_2_01663A6C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AFA49 8_2_016AFA49
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A7A46 8_2_016A7A46
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0169DAC6 8_2_0169DAC6
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01635AA0 8_2_01635AA0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168DAAC 8_2_0168DAAC
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01691AA3 8_2_01691AA3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A7D73 8_2_016A7D73
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F3D40 8_2_015F3D40
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A1D5A 8_2_016A1D5A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160FDC0 8_2_0160FDC0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01669C32 8_2_01669C32
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AFCF2 8_2_016AFCF2
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AFF09 8_2_016AFF09
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015B3FD2 8_2_015B3FD2
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015B3FD5 8_2_015B3FD5
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F1F92 8_2_015F1F92
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AFFB1 8_2_016AFFB1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F9EB0 8_2_015F9EB0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 9_2_02DCD51C 9_2_02DCD51C
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 9_2_073EC3C0 9_2_073EC3C0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 9_2_073E57E0 9_2_073E57E0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 9_2_073E7358 9_2_073E7358
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 9_2_073E53A8 9_2_073E53A8
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 9_2_073E5C18 9_2_073E5C18
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 9_2_073E7868 9_2_073E7868
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_01390100 13_2_01390100
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013E6000 13_2_013E6000
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_014202C0 13_2_014202C0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A0535 13_2_013A0535
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A0770 13_2_013A0770
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013C4750 13_2_013C4750
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_0139C7C0 13_2_0139C7C0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013BC6E0 13_2_013BC6E0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013B6962 13_2_013B6962
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A29A0 13_2_013A29A0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A2840 13_2_013A2840
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013AA840 13_2_013AA840
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013868B8 13_2_013868B8
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013D8890 13_2_013D8890
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013CE8F0 13_2_013CE8F0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_0139EA80 13_2_0139EA80
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013AAD00 13_2_013AAD00
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013AED7A 13_2_013AED7A
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013B8DBF 13_2_013B8DBF
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_0139ADE0 13_2_0139ADE0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A8DC0 13_2_013A8DC0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A0C00 13_2_013A0C00
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_01390CF2 13_2_01390CF2
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_01414F40 13_2_01414F40
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013C0F30 13_2_013C0F30
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013E2F28 13_2_013E2F28
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_0141EFA0 13_2_0141EFA0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_01392FC8 13_2_01392FC8
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A0E59 13_2_013A0E59
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013B2E90 13_2_013B2E90
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_0138F172 13_2_0138F172
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013D516C 13_2_013D516C
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013AB1B0 13_2_013AB1B0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_0138D34C 13_2_0138D34C
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A33F3 13_2_013A33F3
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A52A0 13_2_013A52A0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013BD2F0 13_2_013BD2F0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013BB2C0 13_2_013BB2C0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_01391460 13_2_01391460
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A3497 13_2_013A3497
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013E74E0 13_2_013E74E0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013AB730 13_2_013AB730
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A9950 13_2_013A9950
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013BB950 13_2_013BB950
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A5990 13_2_013A5990
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_0140D800 13_2_0140D800
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A38E0 13_2_013A38E0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_01415BF0 13_2_01415BF0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013BFB80 13_2_013BFB80
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013DDBF9 13_2_013DDBF9
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_01413A6C 13_2_01413A6C
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A3D40 13_2_013A3D40
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013BFDC0 13_2_013BFDC0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013B9C20 13_2_013B9C20
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_01419C32 13_2_01419C32
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A1F92 13_2_013A1F92
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013A9EB0 13_2_013A9EB0
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_0042ED23 13_2_0042ED23
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: String function: 0140EA12 appears 36 times
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: String function: 013E7E54 appears 96 times
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: String function: 0165EA12 appears 86 times
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: String function: 0166F290 appears 105 times
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: String function: 015DB970 appears 265 times
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: String function: 01625130 appears 58 times
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: String function: 01637E54 appears 108 times
Sample file is different than original file name gathered from version info
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1758508861.00000000043F5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Payment Advice D 0024679526 3930.exe
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1763496792.0000000005B30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameArthur.dll" vs Payment Advice D 0024679526 3930.exe
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1765407733.0000000007F00000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs Payment Advice D 0024679526 3930.exe
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000002.1749493496.000000000134E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Payment Advice D 0024679526 3930.exe
Source: Payment Advice D 0024679526 3930.exe, 00000000.00000000.1700118511.0000000000E04000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameIipY.exe6 vs Payment Advice D 0024679526 3930.exe
Source: Payment Advice D 0024679526 3930.exe, 00000008.00000002.2051713578.00000000016DD000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Advice D 0024679526 3930.exe
Source: Payment Advice D 0024679526 3930.exe Binary or memory string: OriginalFilenameIipY.exe6 vs Payment Advice D 0024679526 3930.exe
Uses 32bit PE files
Source: Payment Advice D 0024679526 3930.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Payment Advice D 0024679526 3930.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: OyXCaSLaAXfAKx.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, STvBYiOPF3W7NGdnQE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, V8GpJSHfERQPZdSvTP.cs Security API names: _0020.SetAccessControl
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, V8GpJSHfERQPZdSvTP.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, V8GpJSHfERQPZdSvTP.cs Security API names: _0020.AddAccessRule
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, V8GpJSHfERQPZdSvTP.cs Security API names: _0020.SetAccessControl
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, V8GpJSHfERQPZdSvTP.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, V8GpJSHfERQPZdSvTP.cs Security API names: _0020.AddAccessRule
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, STvBYiOPF3W7NGdnQE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@19/15@0/0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe File created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1376:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1620:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Mutant created: \Sessions\1\BaseNamedObjects\OBzPvtZWXhAQ
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe File created: C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp Jump to behavior
Source: Payment Advice D 0024679526 3930.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Payment Advice D 0024679526 3930.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payment Advice D 0024679526 3930.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe File read: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Payment Advice D 0024679526 3930.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Payment Advice D 0024679526 3930.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: Payment Advice D 0024679526 3930.exe, 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Payment Advice D 0024679526 3930.exe, Payment Advice D 0024679526 3930.exe, 00000008.00000002.2051713578.00000000015B0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, V8GpJSHfERQPZdSvTP.cs .Net Code: xZdFsqTGHk System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, V8GpJSHfERQPZdSvTP.cs .Net Code: xZdFsqTGHk System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0040587C push edi; iretd 8_2_0040587D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_004118C9 pushfd ; iretd 8_2_004118D6
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0041713B push cs; iretd 8_2_0041714A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_004032C0 push eax; ret 8_2_004032C2
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0040AABE push edi; retf 8_2_0040AABF
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_00414C5F push cs; retf 8_2_00414C69
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0041EDFB push ss; retf 8_2_0041EE2D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0040D580 push ebx; iretd 8_2_0040D581
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0040ADAA push esi; retf 8_2_0040ADAD
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_00423E23 push 0000006Dh; iretd 8_2_00423E2C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0040163A pushad ; retf 8_2_004016C1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015B225F pushad ; ret 8_2_015B27F9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015B27FA pushad ; ret 8_2_015B27F9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E09AD push ecx; mov dword ptr [esp], ecx 8_2_015E09B6
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015B283D push eax; iretd 8_2_015B2858
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 9_2_02DCF2B0 push ss; iretd 9_2_02DCF2F6
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 9_2_073E8D8A push esp; iretd 9_2_073E8D91
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013DC54D pushfd ; ret 13_2_013DC54E
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013DC54F push 8B013667h; ret 13_2_013DC554
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013909AD push ecx; mov dword ptr [esp], ecx 13_2_013909B6
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013DC9D7 push edi; ret 13_2_013DC9D9
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_01361FEC push eax; iretd 13_2_01361FED
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Code function: 13_2_013E7E99 push ecx; ret 13_2_013E7EAC
Source: Payment Advice D 0024679526 3930.exe Static PE information: section name: .text entropy: 7.944349569066882
Source: OyXCaSLaAXfAKx.exe.0.dr Static PE information: section name: .text entropy: 7.944349569066882
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, LilRgRlocgsJfSUIBVA.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LEDxPgjg97', 'WTrxyltIj3', 'B52xuedZdo', 'FRoxwuAQ3u', 'IJlxVvdAPy', 'gFexQG7mA5', 'E4qxto6SG3'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, ihf6hpKUwMlx91rtyZ.cs High entropy of concatenated method names: 'TMiLAQ55Pr', 'gbaLN3fa2v', 'nRmLsctZl0', 'hDHLkZj3Rm', 'UTQLmVv7T9', 'VbNLdFiGKB', 'QybLh4kTkF', 'qPyLOVlx3i', 'olxLT0ay8b', 'W3VLrrBAph'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, FsvoM4pTwQ1X19oRwJ.cs High entropy of concatenated method names: 'Dispose', 'Pxal2cejbq', 'IYK9JBgtEQ', 'nbVx7mnvPT', 'UeklC61JUT', 'Bk4lzZ4h7t', 'ProcessDialogKey', 'D7P9oimXPJ', 'ecq9lVTQHZ', 'xbD997nuZo'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, aBUGJ09d9FpZDKVyEw.cs High entropy of concatenated method names: 'MTrsTfTRG', 'RJHkwbBpb', 'KNFd1MTud', 'RbBhxWGcA', 'bT6T42ijs', 'Yx0rFsCF8', 'QrmfmbSYVR0IM5Temj', 'QfASx2TEyR8XbrpD0v', 'N6xo2UHIUyBjuhyWC1', 'tu1vCsxfE'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, YACNV4FWN97mrDWQek.cs High entropy of concatenated method names: 'DFVlLTvBYi', 'OF3lHW7NGd', 'XtjlZyN3OY', 'ntwlnUilkJ', 'yjSlWm1eOh', 'doPlXcr0sy', 'O9vJvIDjdOGA1cvFCy', 'g1sTodv39ABCOHI9rD', 'kWPllpbam2', 'WnhlDc57fZ'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, TOUElNi2dJ1lYilUES.cs High entropy of concatenated method names: 'wyjLb53cnP', 'VJwLSRShXW', 'fKBL5V1TkO', 'bc05CPMmb6', 'dRT5zyKOdQ', 'GAELoqfWVB', 'HLwLlyOWwR', 'VjgL9kbND1', 'z8dLD011lO', 'pcxLFxsb7a'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, LlkJocrZVOSjBNjSm1.cs High entropy of concatenated method names: 'xPd6mZwyis', 'Gf06h18XIb', 'FKVSMHkmuD', 'YE9SgHwQ7q', 'F3ySjug1rs', 'T3ZScNMTjq', 'elbSikr1oW', 'WPoSeqvOYr', 'i5iSKd0qyH', 'cBpSIt5qf0'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, fgT2tgwvS0qEO8ySCQ.cs High entropy of concatenated method names: 'BNyWIiNyY7', 'YG3Wywbbyc', 'u7sWwJksvd', 'EtNWVaxCyi', 'ndWWJWxiZM', 'kqqWMZwwOL', 'NiIWgTrZpq', 'LDjWjmCTRo', 'g0NWcLSQWM', 'U7SWiCdnVD'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, xGpQc0TtjyN3OY7twU.cs High entropy of concatenated method names: 'zgpSkTWxGx', 'YjRSdiJ5kl', 'r90SOR2vsg', 'm5xSTmRMTy', 'oBASWw6ntW', 'RUESXxP9Qq', 'tKBSEAZl5X', 'h9hSvLYMZq', 'GyoSffiDUc', 'ICkSx3llvV'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, LOhDoPGcr0sy8ui08J.cs High entropy of concatenated method names: 'elQ51ErY3m', 'GPx5pTltYb', 'YsY560KWqw', 'VgF5LGfWE1', 'h1M5HQswC0', 'W9y64icfoZ', 'EdP6ae8VQu', 'RNN6Rt1RjS', 'Gqu60MeE6q', 'yvR62ZrEqG'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, VncoUxRqwyxacejbqa.cs High entropy of concatenated method names: 'oE3fWS1bn7', 'SmUfEdrAgA', 'ojsffPyQbv', 'daNf8bYDdM', 'jYQfUEkAGA', 'i4tfB3iYr9', 'Dispose', 'JEmvbyb5Jd', 'D22vpTGMSY', 'CTdvSJcRi7'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, DJEwmBlFhqMWq18ODlp.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6HYfesMbL', 'PsGYxCjWbV', 'UC3Y8vJRoe', 'pE0YYYC6hR', 'pkEYUVNy1N', 'RnvY3jkhLc', 'NHnYBppQJ4'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, SBOMUsllvJRxlWuCoho.cs High entropy of concatenated method names: 'GXXxCbHHlj', 'Nfxxz70sct', 'KjR8oIJbge', 'kFw8lJjjWi', 'pfO89oAZEM', 'GD88DUrHGh', 'G3d8FA6i0F', 'wfv81ouXLO', 'cgS8b272Xv', 'L9q8ppZQQJ'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, V8GpJSHfERQPZdSvTP.cs High entropy of concatenated method names: 'zJKD14YgEb', 'GcYDb6CFSR', 'rRSDpcLYt0', 'l1gDSqTCwk', 'iPTD6B3JQS', 'bFMD5XuGig', 'YhODLclJi4', 'XGWDHY0Kvi', 'Au8DqTcEKl', 'ennDZLOYld'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, BjMU6yaiqhebqut6xN.cs High entropy of concatenated method names: 'Ew2E0JFYEo', 'YAcECZyFIM', 'Ubjvop2lgF', 'iW5vl5ukS1', 'ijiEPeJiPO', 'LwwEy4QVR9', 'HbVEu9BmlU', 'Fs3EwZXFxy', 'yU8EVq9moq', 'qZLEQyYlfb'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, OimXPJ21cqVTQHZAbD.cs High entropy of concatenated method names: 'v7wfGuFvx6', 'CnufJrQmR9', 'y6NfMYPoS3', 'P1hfgGF3JT', 'q4Yfjx15Ry', 'CUWfcmJeIm', 'phafiry9q4', 'tLGfexfZMq', 'DR3fKjt2dA', 'q15fIKuou0'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, dJ1DG7zThxA1XO7tHU.cs High entropy of concatenated method names: 'rY5xd4cIlg', 'b10xOsHpw0', 'lJoxTn1HAS', 'HNmxG9xOaq', 'G9LxJMUGHv', 'RM7xgvvbBY', 'A3bxjgJIGK', 'rroxBq8VkE', 'tVDxAqC81W', 'uRRxNidDSN'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, URBpJYuUOiqnwSLstk.cs High entropy of concatenated method names: 'AYs7O1xA6j', 'Bpi7Td8dHK', 'Nic7GHJIoZ', 'wlm7JpENsf', 's7Q7gg8ktN', 'L117juSTJT', 'MUx7iHCQMl', 'FwB7eSRPjn', 'kfo7ILUn2N', 'zQV7PZOaEV'
Source: 0.2.Payment Advice D 0024679526 3930.exe.7f00000.4.raw.unpack, STvBYiOPF3W7NGdnQE.cs High entropy of concatenated method names: 'WOqpwoEitK', 'XJNpVdNW28', 'OtxpQf3no4', 'tMVptnFnTa', 'ju0p4WaY1J', 'X7LpaZSLth', 'lQEpRrBvCZ', 'fX2p0sE3Ri', 'hgOp2xN38s', 'EUHpCaaAoS'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, LilRgRlocgsJfSUIBVA.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LEDxPgjg97', 'WTrxyltIj3', 'B52xuedZdo', 'FRoxwuAQ3u', 'IJlxVvdAPy', 'gFexQG7mA5', 'E4qxto6SG3'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, ihf6hpKUwMlx91rtyZ.cs High entropy of concatenated method names: 'TMiLAQ55Pr', 'gbaLN3fa2v', 'nRmLsctZl0', 'hDHLkZj3Rm', 'UTQLmVv7T9', 'VbNLdFiGKB', 'QybLh4kTkF', 'qPyLOVlx3i', 'olxLT0ay8b', 'W3VLrrBAph'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, FsvoM4pTwQ1X19oRwJ.cs High entropy of concatenated method names: 'Dispose', 'Pxal2cejbq', 'IYK9JBgtEQ', 'nbVx7mnvPT', 'UeklC61JUT', 'Bk4lzZ4h7t', 'ProcessDialogKey', 'D7P9oimXPJ', 'ecq9lVTQHZ', 'xbD997nuZo'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, aBUGJ09d9FpZDKVyEw.cs High entropy of concatenated method names: 'MTrsTfTRG', 'RJHkwbBpb', 'KNFd1MTud', 'RbBhxWGcA', 'bT6T42ijs', 'Yx0rFsCF8', 'QrmfmbSYVR0IM5Temj', 'QfASx2TEyR8XbrpD0v', 'N6xo2UHIUyBjuhyWC1', 'tu1vCsxfE'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, YACNV4FWN97mrDWQek.cs High entropy of concatenated method names: 'DFVlLTvBYi', 'OF3lHW7NGd', 'XtjlZyN3OY', 'ntwlnUilkJ', 'yjSlWm1eOh', 'doPlXcr0sy', 'O9vJvIDjdOGA1cvFCy', 'g1sTodv39ABCOHI9rD', 'kWPllpbam2', 'WnhlDc57fZ'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, TOUElNi2dJ1lYilUES.cs High entropy of concatenated method names: 'wyjLb53cnP', 'VJwLSRShXW', 'fKBL5V1TkO', 'bc05CPMmb6', 'dRT5zyKOdQ', 'GAELoqfWVB', 'HLwLlyOWwR', 'VjgL9kbND1', 'z8dLD011lO', 'pcxLFxsb7a'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, LlkJocrZVOSjBNjSm1.cs High entropy of concatenated method names: 'xPd6mZwyis', 'Gf06h18XIb', 'FKVSMHkmuD', 'YE9SgHwQ7q', 'F3ySjug1rs', 'T3ZScNMTjq', 'elbSikr1oW', 'WPoSeqvOYr', 'i5iSKd0qyH', 'cBpSIt5qf0'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, fgT2tgwvS0qEO8ySCQ.cs High entropy of concatenated method names: 'BNyWIiNyY7', 'YG3Wywbbyc', 'u7sWwJksvd', 'EtNWVaxCyi', 'ndWWJWxiZM', 'kqqWMZwwOL', 'NiIWgTrZpq', 'LDjWjmCTRo', 'g0NWcLSQWM', 'U7SWiCdnVD'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, xGpQc0TtjyN3OY7twU.cs High entropy of concatenated method names: 'zgpSkTWxGx', 'YjRSdiJ5kl', 'r90SOR2vsg', 'm5xSTmRMTy', 'oBASWw6ntW', 'RUESXxP9Qq', 'tKBSEAZl5X', 'h9hSvLYMZq', 'GyoSffiDUc', 'ICkSx3llvV'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, LOhDoPGcr0sy8ui08J.cs High entropy of concatenated method names: 'elQ51ErY3m', 'GPx5pTltYb', 'YsY560KWqw', 'VgF5LGfWE1', 'h1M5HQswC0', 'W9y64icfoZ', 'EdP6ae8VQu', 'RNN6Rt1RjS', 'Gqu60MeE6q', 'yvR62ZrEqG'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, VncoUxRqwyxacejbqa.cs High entropy of concatenated method names: 'oE3fWS1bn7', 'SmUfEdrAgA', 'ojsffPyQbv', 'daNf8bYDdM', 'jYQfUEkAGA', 'i4tfB3iYr9', 'Dispose', 'JEmvbyb5Jd', 'D22vpTGMSY', 'CTdvSJcRi7'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, DJEwmBlFhqMWq18ODlp.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r6HYfesMbL', 'PsGYxCjWbV', 'UC3Y8vJRoe', 'pE0YYYC6hR', 'pkEYUVNy1N', 'RnvY3jkhLc', 'NHnYBppQJ4'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, SBOMUsllvJRxlWuCoho.cs High entropy of concatenated method names: 'GXXxCbHHlj', 'Nfxxz70sct', 'KjR8oIJbge', 'kFw8lJjjWi', 'pfO89oAZEM', 'GD88DUrHGh', 'G3d8FA6i0F', 'wfv81ouXLO', 'cgS8b272Xv', 'L9q8ppZQQJ'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, V8GpJSHfERQPZdSvTP.cs High entropy of concatenated method names: 'zJKD14YgEb', 'GcYDb6CFSR', 'rRSDpcLYt0', 'l1gDSqTCwk', 'iPTD6B3JQS', 'bFMD5XuGig', 'YhODLclJi4', 'XGWDHY0Kvi', 'Au8DqTcEKl', 'ennDZLOYld'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, BjMU6yaiqhebqut6xN.cs High entropy of concatenated method names: 'Ew2E0JFYEo', 'YAcECZyFIM', 'Ubjvop2lgF', 'iW5vl5ukS1', 'ijiEPeJiPO', 'LwwEy4QVR9', 'HbVEu9BmlU', 'Fs3EwZXFxy', 'yU8EVq9moq', 'qZLEQyYlfb'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, OimXPJ21cqVTQHZAbD.cs High entropy of concatenated method names: 'v7wfGuFvx6', 'CnufJrQmR9', 'y6NfMYPoS3', 'P1hfgGF3JT', 'q4Yfjx15Ry', 'CUWfcmJeIm', 'phafiry9q4', 'tLGfexfZMq', 'DR3fKjt2dA', 'q15fIKuou0'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, dJ1DG7zThxA1XO7tHU.cs High entropy of concatenated method names: 'rY5xd4cIlg', 'b10xOsHpw0', 'lJoxTn1HAS', 'HNmxG9xOaq', 'G9LxJMUGHv', 'RM7xgvvbBY', 'A3bxjgJIGK', 'rroxBq8VkE', 'tVDxAqC81W', 'uRRxNidDSN'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, URBpJYuUOiqnwSLstk.cs High entropy of concatenated method names: 'AYs7O1xA6j', 'Bpi7Td8dHK', 'Nic7GHJIoZ', 'wlm7JpENsf', 's7Q7gg8ktN', 'L117juSTJT', 'MUx7iHCQMl', 'FwB7eSRPjn', 'kfo7ILUn2N', 'zQV7PZOaEV'
Source: 0.2.Payment Advice D 0024679526 3930.exe.44227d0.0.raw.unpack, STvBYiOPF3W7NGdnQE.cs High entropy of concatenated method names: 'WOqpwoEitK', 'XJNpVdNW28', 'OtxpQf3no4', 'tMVptnFnTa', 'ju0p4WaY1J', 'X7LpaZSLth', 'lQEpRrBvCZ', 'fX2p0sE3Ri', 'hgOp2xN38s', 'EUHpCaaAoS'
Drops PE files
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe File created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Payment Advice D 0024679526 3930.exe PID: 7016, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OyXCaSLaAXfAKx.exe PID: 4916, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Memory allocated: 2F20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Memory allocated: 3150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Memory allocated: 2F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Memory allocated: 8090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Memory allocated: 9090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Memory allocated: 9240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Memory allocated: A240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Memory allocated: 2DC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Memory allocated: 2FD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Memory allocated: 2DE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Memory allocated: 78C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Memory allocated: 88C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Memory allocated: 8A60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Memory allocated: 9A60000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0162096E rdtsc 8_2_0162096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3123 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3370 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe API coverage: 0.6 %
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe API coverage: 0.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe TID: 7076 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5416 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7152 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4948 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6996 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe TID: 4180 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe TID: 7276 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe TID: 7388 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0162096E rdtsc 8_2_0162096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_004178E3 LdrLoadDll, 8_2_004178E3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E6154 mov eax, dword ptr fs:[00000030h] 8_2_015E6154
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E6154 mov eax, dword ptr fs:[00000030h] 8_2_015E6154
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DC156 mov eax, dword ptr fs:[00000030h] 8_2_015DC156
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4164 mov eax, dword ptr fs:[00000030h] 8_2_016B4164
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4164 mov eax, dword ptr fs:[00000030h] 8_2_016B4164
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01674144 mov eax, dword ptr fs:[00000030h] 8_2_01674144
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01674144 mov eax, dword ptr fs:[00000030h] 8_2_01674144
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01674144 mov ecx, dword ptr fs:[00000030h] 8_2_01674144
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01674144 mov eax, dword ptr fs:[00000030h] 8_2_01674144
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01674144 mov eax, dword ptr fs:[00000030h] 8_2_01674144
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01678158 mov eax, dword ptr fs:[00000030h] 8_2_01678158
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01610124 mov eax, dword ptr fs:[00000030h] 8_2_01610124
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h] 8_2_0168E10E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E10E mov ecx, dword ptr fs:[00000030h] 8_2_0168E10E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h] 8_2_0168E10E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h] 8_2_0168E10E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E10E mov ecx, dword ptr fs:[00000030h] 8_2_0168E10E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h] 8_2_0168E10E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h] 8_2_0168E10E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E10E mov ecx, dword ptr fs:[00000030h] 8_2_0168E10E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E10E mov eax, dword ptr fs:[00000030h] 8_2_0168E10E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E10E mov ecx, dword ptr fs:[00000030h] 8_2_0168E10E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168A118 mov ecx, dword ptr fs:[00000030h] 8_2_0168A118
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168A118 mov eax, dword ptr fs:[00000030h] 8_2_0168A118
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168A118 mov eax, dword ptr fs:[00000030h] 8_2_0168A118
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168A118 mov eax, dword ptr fs:[00000030h] 8_2_0168A118
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A0115 mov eax, dword ptr fs:[00000030h] 8_2_016A0115
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B61E5 mov eax, dword ptr fs:[00000030h] 8_2_016B61E5
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016101F8 mov eax, dword ptr fs:[00000030h] 8_2_016101F8
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A61C3 mov eax, dword ptr fs:[00000030h] 8_2_016A61C3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A61C3 mov eax, dword ptr fs:[00000030h] 8_2_016A61C3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0165E1D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0165E1D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E1D0 mov ecx, dword ptr fs:[00000030h] 8_2_0165E1D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0165E1D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E1D0 mov eax, dword ptr fs:[00000030h] 8_2_0165E1D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DA197 mov eax, dword ptr fs:[00000030h] 8_2_015DA197
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DA197 mov eax, dword ptr fs:[00000030h] 8_2_015DA197
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DA197 mov eax, dword ptr fs:[00000030h] 8_2_015DA197
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0169C188 mov eax, dword ptr fs:[00000030h] 8_2_0169C188
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0169C188 mov eax, dword ptr fs:[00000030h] 8_2_0169C188
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01620185 mov eax, dword ptr fs:[00000030h] 8_2_01620185
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01684180 mov eax, dword ptr fs:[00000030h] 8_2_01684180
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01684180 mov eax, dword ptr fs:[00000030h] 8_2_01684180
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166019F mov eax, dword ptr fs:[00000030h] 8_2_0166019F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166019F mov eax, dword ptr fs:[00000030h] 8_2_0166019F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166019F mov eax, dword ptr fs:[00000030h] 8_2_0166019F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166019F mov eax, dword ptr fs:[00000030h] 8_2_0166019F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E2050 mov eax, dword ptr fs:[00000030h] 8_2_015E2050
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160C073 mov eax, dword ptr fs:[00000030h] 8_2_0160C073
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01666050 mov eax, dword ptr fs:[00000030h] 8_2_01666050
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FE016 mov eax, dword ptr fs:[00000030h] 8_2_015FE016
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FE016 mov eax, dword ptr fs:[00000030h] 8_2_015FE016
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FE016 mov eax, dword ptr fs:[00000030h] 8_2_015FE016
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FE016 mov eax, dword ptr fs:[00000030h] 8_2_015FE016
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01676030 mov eax, dword ptr fs:[00000030h] 8_2_01676030
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01664000 mov ecx, dword ptr fs:[00000030h] 8_2_01664000
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01682000 mov eax, dword ptr fs:[00000030h] 8_2_01682000
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01682000 mov eax, dword ptr fs:[00000030h] 8_2_01682000
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01682000 mov eax, dword ptr fs:[00000030h] 8_2_01682000
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01682000 mov eax, dword ptr fs:[00000030h] 8_2_01682000
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01682000 mov eax, dword ptr fs:[00000030h] 8_2_01682000
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01682000 mov eax, dword ptr fs:[00000030h] 8_2_01682000
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01682000 mov eax, dword ptr fs:[00000030h] 8_2_01682000
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01682000 mov eax, dword ptr fs:[00000030h] 8_2_01682000
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DA020 mov eax, dword ptr fs:[00000030h] 8_2_015DA020
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DC020 mov eax, dword ptr fs:[00000030h] 8_2_015DC020
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016660E0 mov eax, dword ptr fs:[00000030h] 8_2_016660E0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016220F0 mov ecx, dword ptr fs:[00000030h] 8_2_016220F0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DC0F0 mov eax, dword ptr fs:[00000030h] 8_2_015DC0F0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E80E9 mov eax, dword ptr fs:[00000030h] 8_2_015E80E9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016620DE mov eax, dword ptr fs:[00000030h] 8_2_016620DE
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DA0E3 mov ecx, dword ptr fs:[00000030h] 8_2_015DA0E3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016780A8 mov eax, dword ptr fs:[00000030h] 8_2_016780A8
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A60B8 mov eax, dword ptr fs:[00000030h] 8_2_016A60B8
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A60B8 mov ecx, dword ptr fs:[00000030h] 8_2_016A60B8
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E208A mov eax, dword ptr fs:[00000030h] 8_2_015E208A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D80A0 mov eax, dword ptr fs:[00000030h] 8_2_015D80A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168437C mov eax, dword ptr fs:[00000030h] 8_2_0168437C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B634F mov eax, dword ptr fs:[00000030h] 8_2_016B634F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01662349 mov eax, dword ptr fs:[00000030h] 8_2_01662349
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AA352 mov eax, dword ptr fs:[00000030h] 8_2_016AA352
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01688350 mov ecx, dword ptr fs:[00000030h] 8_2_01688350
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166035C mov eax, dword ptr fs:[00000030h] 8_2_0166035C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166035C mov eax, dword ptr fs:[00000030h] 8_2_0166035C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166035C mov eax, dword ptr fs:[00000030h] 8_2_0166035C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166035C mov ecx, dword ptr fs:[00000030h] 8_2_0166035C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166035C mov eax, dword ptr fs:[00000030h] 8_2_0166035C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166035C mov eax, dword ptr fs:[00000030h] 8_2_0166035C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DC310 mov ecx, dword ptr fs:[00000030h] 8_2_015DC310
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B8324 mov eax, dword ptr fs:[00000030h] 8_2_016B8324
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B8324 mov ecx, dword ptr fs:[00000030h] 8_2_016B8324
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B8324 mov eax, dword ptr fs:[00000030h] 8_2_016B8324
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B8324 mov eax, dword ptr fs:[00000030h] 8_2_016B8324
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A30B mov eax, dword ptr fs:[00000030h] 8_2_0161A30B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A30B mov eax, dword ptr fs:[00000030h] 8_2_0161A30B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A30B mov eax, dword ptr fs:[00000030h] 8_2_0161A30B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01600310 mov ecx, dword ptr fs:[00000030h] 8_2_01600310
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E83C0 mov eax, dword ptr fs:[00000030h] 8_2_015E83C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E83C0 mov eax, dword ptr fs:[00000030h] 8_2_015E83C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E83C0 mov eax, dword ptr fs:[00000030h] 8_2_015E83C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E83C0 mov eax, dword ptr fs:[00000030h] 8_2_015E83C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h] 8_2_015EA3C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h] 8_2_015EA3C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h] 8_2_015EA3C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h] 8_2_015EA3C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h] 8_2_015EA3C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA3C0 mov eax, dword ptr fs:[00000030h] 8_2_015EA3C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016163FF mov eax, dword ptr fs:[00000030h] 8_2_016163FF
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0169C3CD mov eax, dword ptr fs:[00000030h] 8_2_0169C3CD
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016663C0 mov eax, dword ptr fs:[00000030h] 8_2_016663C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FE3F0 mov eax, dword ptr fs:[00000030h] 8_2_015FE3F0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FE3F0 mov eax, dword ptr fs:[00000030h] 8_2_015FE3F0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FE3F0 mov eax, dword ptr fs:[00000030h] 8_2_015FE3F0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E3DB mov eax, dword ptr fs:[00000030h] 8_2_0168E3DB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E3DB mov eax, dword ptr fs:[00000030h] 8_2_0168E3DB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E3DB mov ecx, dword ptr fs:[00000030h] 8_2_0168E3DB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168E3DB mov eax, dword ptr fs:[00000030h] 8_2_0168E3DB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h] 8_2_015F03E9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h] 8_2_015F03E9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h] 8_2_015F03E9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h] 8_2_015F03E9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h] 8_2_015F03E9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h] 8_2_015F03E9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h] 8_2_015F03E9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F03E9 mov eax, dword ptr fs:[00000030h] 8_2_015F03E9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016843D4 mov eax, dword ptr fs:[00000030h] 8_2_016843D4
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016843D4 mov eax, dword ptr fs:[00000030h] 8_2_016843D4
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D8397 mov eax, dword ptr fs:[00000030h] 8_2_015D8397
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D8397 mov eax, dword ptr fs:[00000030h] 8_2_015D8397
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D8397 mov eax, dword ptr fs:[00000030h] 8_2_015D8397
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DE388 mov eax, dword ptr fs:[00000030h] 8_2_015DE388
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DE388 mov eax, dword ptr fs:[00000030h] 8_2_015DE388
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DE388 mov eax, dword ptr fs:[00000030h] 8_2_015DE388
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160438F mov eax, dword ptr fs:[00000030h] 8_2_0160438F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160438F mov eax, dword ptr fs:[00000030h] 8_2_0160438F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E6259 mov eax, dword ptr fs:[00000030h] 8_2_015E6259
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DA250 mov eax, dword ptr fs:[00000030h] 8_2_015DA250
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01690274 mov eax, dword ptr fs:[00000030h] 8_2_01690274
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01668243 mov eax, dword ptr fs:[00000030h] 8_2_01668243
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01668243 mov ecx, dword ptr fs:[00000030h] 8_2_01668243
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D826B mov eax, dword ptr fs:[00000030h] 8_2_015D826B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B625D mov eax, dword ptr fs:[00000030h] 8_2_016B625D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0169A250 mov eax, dword ptr fs:[00000030h] 8_2_0169A250
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0169A250 mov eax, dword ptr fs:[00000030h] 8_2_0169A250
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E4260 mov eax, dword ptr fs:[00000030h] 8_2_015E4260
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E4260 mov eax, dword ptr fs:[00000030h] 8_2_015E4260
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E4260 mov eax, dword ptr fs:[00000030h] 8_2_015E4260
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D823B mov eax, dword ptr fs:[00000030h] 8_2_015D823B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA2C3 mov eax, dword ptr fs:[00000030h] 8_2_015EA2C3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA2C3 mov eax, dword ptr fs:[00000030h] 8_2_015EA2C3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA2C3 mov eax, dword ptr fs:[00000030h] 8_2_015EA2C3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA2C3 mov eax, dword ptr fs:[00000030h] 8_2_015EA2C3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA2C3 mov eax, dword ptr fs:[00000030h] 8_2_015EA2C3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B62D6 mov eax, dword ptr fs:[00000030h] 8_2_016B62D6
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F02E1 mov eax, dword ptr fs:[00000030h] 8_2_015F02E1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F02E1 mov eax, dword ptr fs:[00000030h] 8_2_015F02E1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F02E1 mov eax, dword ptr fs:[00000030h] 8_2_015F02E1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016762A0 mov eax, dword ptr fs:[00000030h] 8_2_016762A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016762A0 mov ecx, dword ptr fs:[00000030h] 8_2_016762A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016762A0 mov eax, dword ptr fs:[00000030h] 8_2_016762A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016762A0 mov eax, dword ptr fs:[00000030h] 8_2_016762A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016762A0 mov eax, dword ptr fs:[00000030h] 8_2_016762A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016762A0 mov eax, dword ptr fs:[00000030h] 8_2_016762A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01660283 mov eax, dword ptr fs:[00000030h] 8_2_01660283
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01660283 mov eax, dword ptr fs:[00000030h] 8_2_01660283
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01660283 mov eax, dword ptr fs:[00000030h] 8_2_01660283
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E284 mov eax, dword ptr fs:[00000030h] 8_2_0161E284
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E284 mov eax, dword ptr fs:[00000030h] 8_2_0161E284
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F02A0 mov eax, dword ptr fs:[00000030h] 8_2_015F02A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F02A0 mov eax, dword ptr fs:[00000030h] 8_2_015F02A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161656A mov eax, dword ptr fs:[00000030h] 8_2_0161656A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161656A mov eax, dword ptr fs:[00000030h] 8_2_0161656A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161656A mov eax, dword ptr fs:[00000030h] 8_2_0161656A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E8550 mov eax, dword ptr fs:[00000030h] 8_2_015E8550
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E8550 mov eax, dword ptr fs:[00000030h] 8_2_015E8550
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E53E mov eax, dword ptr fs:[00000030h] 8_2_0160E53E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E53E mov eax, dword ptr fs:[00000030h] 8_2_0160E53E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E53E mov eax, dword ptr fs:[00000030h] 8_2_0160E53E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E53E mov eax, dword ptr fs:[00000030h] 8_2_0160E53E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E53E mov eax, dword ptr fs:[00000030h] 8_2_0160E53E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01676500 mov eax, dword ptr fs:[00000030h] 8_2_01676500
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h] 8_2_015F0535
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h] 8_2_015F0535
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h] 8_2_015F0535
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h] 8_2_015F0535
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h] 8_2_015F0535
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0535 mov eax, dword ptr fs:[00000030h] 8_2_015F0535
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h] 8_2_016B4500
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h] 8_2_016B4500
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h] 8_2_016B4500
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h] 8_2_016B4500
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h] 8_2_016B4500
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h] 8_2_016B4500
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4500 mov eax, dword ptr fs:[00000030h] 8_2_016B4500
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0160E5E7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0160E5E7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0160E5E7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0160E5E7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0160E5E7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0160E5E7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0160E5E7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E5E7 mov eax, dword ptr fs:[00000030h] 8_2_0160E5E7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161C5ED mov eax, dword ptr fs:[00000030h] 8_2_0161C5ED
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161C5ED mov eax, dword ptr fs:[00000030h] 8_2_0161C5ED
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E65D0 mov eax, dword ptr fs:[00000030h] 8_2_015E65D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E5CF mov eax, dword ptr fs:[00000030h] 8_2_0161E5CF
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E5CF mov eax, dword ptr fs:[00000030h] 8_2_0161E5CF
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A5D0 mov eax, dword ptr fs:[00000030h] 8_2_0161A5D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A5D0 mov eax, dword ptr fs:[00000030h] 8_2_0161A5D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E25E0 mov eax, dword ptr fs:[00000030h] 8_2_015E25E0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016605A7 mov eax, dword ptr fs:[00000030h] 8_2_016605A7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016605A7 mov eax, dword ptr fs:[00000030h] 8_2_016605A7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016605A7 mov eax, dword ptr fs:[00000030h] 8_2_016605A7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016045B1 mov eax, dword ptr fs:[00000030h] 8_2_016045B1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016045B1 mov eax, dword ptr fs:[00000030h] 8_2_016045B1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E2582 mov eax, dword ptr fs:[00000030h] 8_2_015E2582
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E2582 mov ecx, dword ptr fs:[00000030h] 8_2_015E2582
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01614588 mov eax, dword ptr fs:[00000030h] 8_2_01614588
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E59C mov eax, dword ptr fs:[00000030h] 8_2_0161E59C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D645D mov eax, dword ptr fs:[00000030h] 8_2_015D645D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166C460 mov ecx, dword ptr fs:[00000030h] 8_2_0166C460
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160A470 mov eax, dword ptr fs:[00000030h] 8_2_0160A470
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160A470 mov eax, dword ptr fs:[00000030h] 8_2_0160A470
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160A470 mov eax, dword ptr fs:[00000030h] 8_2_0160A470
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h] 8_2_0161E443
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h] 8_2_0161E443
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h] 8_2_0161E443
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h] 8_2_0161E443
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h] 8_2_0161E443
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h] 8_2_0161E443
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h] 8_2_0161E443
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161E443 mov eax, dword ptr fs:[00000030h] 8_2_0161E443
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160245A mov eax, dword ptr fs:[00000030h] 8_2_0160245A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0169A456 mov eax, dword ptr fs:[00000030h] 8_2_0169A456
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01666420 mov eax, dword ptr fs:[00000030h] 8_2_01666420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01666420 mov eax, dword ptr fs:[00000030h] 8_2_01666420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01666420 mov eax, dword ptr fs:[00000030h] 8_2_01666420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01666420 mov eax, dword ptr fs:[00000030h] 8_2_01666420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01666420 mov eax, dword ptr fs:[00000030h] 8_2_01666420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01666420 mov eax, dword ptr fs:[00000030h] 8_2_01666420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01666420 mov eax, dword ptr fs:[00000030h] 8_2_01666420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A430 mov eax, dword ptr fs:[00000030h] 8_2_0161A430
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01618402 mov eax, dword ptr fs:[00000030h] 8_2_01618402
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01618402 mov eax, dword ptr fs:[00000030h] 8_2_01618402
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01618402 mov eax, dword ptr fs:[00000030h] 8_2_01618402
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DC427 mov eax, dword ptr fs:[00000030h] 8_2_015DC427
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DE420 mov eax, dword ptr fs:[00000030h] 8_2_015DE420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DE420 mov eax, dword ptr fs:[00000030h] 8_2_015DE420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DE420 mov eax, dword ptr fs:[00000030h] 8_2_015DE420
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E04E5 mov ecx, dword ptr fs:[00000030h] 8_2_015E04E5
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016144B0 mov ecx, dword ptr fs:[00000030h] 8_2_016144B0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166A4B0 mov eax, dword ptr fs:[00000030h] 8_2_0166A4B0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0169A49A mov eax, dword ptr fs:[00000030h] 8_2_0169A49A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E64AB mov eax, dword ptr fs:[00000030h] 8_2_015E64AB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E0750 mov eax, dword ptr fs:[00000030h] 8_2_015E0750
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161674D mov esi, dword ptr fs:[00000030h] 8_2_0161674D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161674D mov eax, dword ptr fs:[00000030h] 8_2_0161674D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161674D mov eax, dword ptr fs:[00000030h] 8_2_0161674D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E8770 mov eax, dword ptr fs:[00000030h] 8_2_015E8770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0770 mov eax, dword ptr fs:[00000030h] 8_2_015F0770
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622750 mov eax, dword ptr fs:[00000030h] 8_2_01622750
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622750 mov eax, dword ptr fs:[00000030h] 8_2_01622750
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01664755 mov eax, dword ptr fs:[00000030h] 8_2_01664755
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166E75D mov eax, dword ptr fs:[00000030h] 8_2_0166E75D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161C720 mov eax, dword ptr fs:[00000030h] 8_2_0161C720
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161C720 mov eax, dword ptr fs:[00000030h] 8_2_0161C720
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E0710 mov eax, dword ptr fs:[00000030h] 8_2_015E0710
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165C730 mov eax, dword ptr fs:[00000030h] 8_2_0165C730
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161273C mov eax, dword ptr fs:[00000030h] 8_2_0161273C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161273C mov ecx, dword ptr fs:[00000030h] 8_2_0161273C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161273C mov eax, dword ptr fs:[00000030h] 8_2_0161273C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161C700 mov eax, dword ptr fs:[00000030h] 8_2_0161C700
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01610710 mov eax, dword ptr fs:[00000030h] 8_2_01610710
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166E7E1 mov eax, dword ptr fs:[00000030h] 8_2_0166E7E1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016027ED mov eax, dword ptr fs:[00000030h] 8_2_016027ED
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016027ED mov eax, dword ptr fs:[00000030h] 8_2_016027ED
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016027ED mov eax, dword ptr fs:[00000030h] 8_2_016027ED
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EC7C0 mov eax, dword ptr fs:[00000030h] 8_2_015EC7C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E47FB mov eax, dword ptr fs:[00000030h] 8_2_015E47FB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E47FB mov eax, dword ptr fs:[00000030h] 8_2_015E47FB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016607C3 mov eax, dword ptr fs:[00000030h] 8_2_016607C3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016947A0 mov eax, dword ptr fs:[00000030h] 8_2_016947A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168678E mov eax, dword ptr fs:[00000030h] 8_2_0168678E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E07AF mov eax, dword ptr fs:[00000030h] 8_2_015E07AF
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A660 mov eax, dword ptr fs:[00000030h] 8_2_0161A660
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A660 mov eax, dword ptr fs:[00000030h] 8_2_0161A660
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A866E mov eax, dword ptr fs:[00000030h] 8_2_016A866E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A866E mov eax, dword ptr fs:[00000030h] 8_2_016A866E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01612674 mov eax, dword ptr fs:[00000030h] 8_2_01612674
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FC640 mov eax, dword ptr fs:[00000030h] 8_2_015FC640
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01616620 mov eax, dword ptr fs:[00000030h] 8_2_01616620
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01618620 mov eax, dword ptr fs:[00000030h] 8_2_01618620
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F260B mov eax, dword ptr fs:[00000030h] 8_2_015F260B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F260B mov eax, dword ptr fs:[00000030h] 8_2_015F260B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F260B mov eax, dword ptr fs:[00000030h] 8_2_015F260B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F260B mov eax, dword ptr fs:[00000030h] 8_2_015F260B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F260B mov eax, dword ptr fs:[00000030h] 8_2_015F260B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F260B mov eax, dword ptr fs:[00000030h] 8_2_015F260B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F260B mov eax, dword ptr fs:[00000030h] 8_2_015F260B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E609 mov eax, dword ptr fs:[00000030h] 8_2_0165E609
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E262C mov eax, dword ptr fs:[00000030h] 8_2_015E262C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015FE627 mov eax, dword ptr fs:[00000030h] 8_2_015FE627
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01622619 mov eax, dword ptr fs:[00000030h] 8_2_01622619
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0165E6F2
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0165E6F2
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0165E6F2
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E6F2 mov eax, dword ptr fs:[00000030h] 8_2_0165E6F2
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016606F1 mov eax, dword ptr fs:[00000030h] 8_2_016606F1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016606F1 mov eax, dword ptr fs:[00000030h] 8_2_016606F1
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A6C7 mov ebx, dword ptr fs:[00000030h] 8_2_0161A6C7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A6C7 mov eax, dword ptr fs:[00000030h] 8_2_0161A6C7
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161C6A6 mov eax, dword ptr fs:[00000030h] 8_2_0161C6A6
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E4690 mov eax, dword ptr fs:[00000030h] 8_2_015E4690
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E4690 mov eax, dword ptr fs:[00000030h] 8_2_015E4690
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016166B0 mov eax, dword ptr fs:[00000030h] 8_2_016166B0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01606962 mov eax, dword ptr fs:[00000030h] 8_2_01606962
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01606962 mov eax, dword ptr fs:[00000030h] 8_2_01606962
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01606962 mov eax, dword ptr fs:[00000030h] 8_2_01606962
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0162096E mov eax, dword ptr fs:[00000030h] 8_2_0162096E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0162096E mov edx, dword ptr fs:[00000030h] 8_2_0162096E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0162096E mov eax, dword ptr fs:[00000030h] 8_2_0162096E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01684978 mov eax, dword ptr fs:[00000030h] 8_2_01684978
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01684978 mov eax, dword ptr fs:[00000030h] 8_2_01684978
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166C97C mov eax, dword ptr fs:[00000030h] 8_2_0166C97C
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01660946 mov eax, dword ptr fs:[00000030h] 8_2_01660946
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4940 mov eax, dword ptr fs:[00000030h] 8_2_016B4940
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D8918 mov eax, dword ptr fs:[00000030h] 8_2_015D8918
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D8918 mov eax, dword ptr fs:[00000030h] 8_2_015D8918
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166892A mov eax, dword ptr fs:[00000030h] 8_2_0166892A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0167892B mov eax, dword ptr fs:[00000030h] 8_2_0167892B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E908 mov eax, dword ptr fs:[00000030h] 8_2_0165E908
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165E908 mov eax, dword ptr fs:[00000030h] 8_2_0165E908
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166C912 mov eax, dword ptr fs:[00000030h] 8_2_0166C912
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166E9E0 mov eax, dword ptr fs:[00000030h] 8_2_0166E9E0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h] 8_2_015EA9D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h] 8_2_015EA9D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h] 8_2_015EA9D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h] 8_2_015EA9D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h] 8_2_015EA9D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EA9D0 mov eax, dword ptr fs:[00000030h] 8_2_015EA9D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016129F9 mov eax, dword ptr fs:[00000030h] 8_2_016129F9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016129F9 mov eax, dword ptr fs:[00000030h] 8_2_016129F9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016769C0 mov eax, dword ptr fs:[00000030h] 8_2_016769C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016149D0 mov eax, dword ptr fs:[00000030h] 8_2_016149D0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AA9D3 mov eax, dword ptr fs:[00000030h] 8_2_016AA9D3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016689B3 mov esi, dword ptr fs:[00000030h] 8_2_016689B3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016689B3 mov eax, dword ptr fs:[00000030h] 8_2_016689B3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016689B3 mov eax, dword ptr fs:[00000030h] 8_2_016689B3
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E09AD mov eax, dword ptr fs:[00000030h] 8_2_015E09AD
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E09AD mov eax, dword ptr fs:[00000030h] 8_2_015E09AD
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F29A0 mov eax, dword ptr fs:[00000030h] 8_2_015F29A0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E4859 mov eax, dword ptr fs:[00000030h] 8_2_015E4859
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E4859 mov eax, dword ptr fs:[00000030h] 8_2_015E4859
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166E872 mov eax, dword ptr fs:[00000030h] 8_2_0166E872
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166E872 mov eax, dword ptr fs:[00000030h] 8_2_0166E872
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01676870 mov eax, dword ptr fs:[00000030h] 8_2_01676870
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01676870 mov eax, dword ptr fs:[00000030h] 8_2_01676870
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F2840 mov ecx, dword ptr fs:[00000030h] 8_2_015F2840
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01610854 mov eax, dword ptr fs:[00000030h] 8_2_01610854
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161A830 mov eax, dword ptr fs:[00000030h] 8_2_0161A830
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168483A mov eax, dword ptr fs:[00000030h] 8_2_0168483A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168483A mov eax, dword ptr fs:[00000030h] 8_2_0168483A
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01602835 mov eax, dword ptr fs:[00000030h] 8_2_01602835
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01602835 mov eax, dword ptr fs:[00000030h] 8_2_01602835
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01602835 mov eax, dword ptr fs:[00000030h] 8_2_01602835
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01602835 mov ecx, dword ptr fs:[00000030h] 8_2_01602835
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01602835 mov eax, dword ptr fs:[00000030h] 8_2_01602835
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01602835 mov eax, dword ptr fs:[00000030h] 8_2_01602835
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166C810 mov eax, dword ptr fs:[00000030h] 8_2_0166C810
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AA8E4 mov eax, dword ptr fs:[00000030h] 8_2_016AA8E4
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161C8F9 mov eax, dword ptr fs:[00000030h] 8_2_0161C8F9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161C8F9 mov eax, dword ptr fs:[00000030h] 8_2_0161C8F9
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160E8C0 mov eax, dword ptr fs:[00000030h] 8_2_0160E8C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B08C0 mov eax, dword ptr fs:[00000030h] 8_2_016B08C0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E0887 mov eax, dword ptr fs:[00000030h] 8_2_015E0887
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166C89D mov eax, dword ptr fs:[00000030h] 8_2_0166C89D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015D8B50 mov eax, dword ptr fs:[00000030h] 8_2_015D8B50
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01694B4B mov eax, dword ptr fs:[00000030h] 8_2_01694B4B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01694B4B mov eax, dword ptr fs:[00000030h] 8_2_01694B4B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015DCB7E mov eax, dword ptr fs:[00000030h] 8_2_015DCB7E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01676B40 mov eax, dword ptr fs:[00000030h] 8_2_01676B40
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01676B40 mov eax, dword ptr fs:[00000030h] 8_2_01676B40
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016AAB40 mov eax, dword ptr fs:[00000030h] 8_2_016AAB40
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01688B42 mov eax, dword ptr fs:[00000030h] 8_2_01688B42
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168EB50 mov eax, dword ptr fs:[00000030h] 8_2_0168EB50
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B2B57 mov eax, dword ptr fs:[00000030h] 8_2_016B2B57
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B2B57 mov eax, dword ptr fs:[00000030h] 8_2_016B2B57
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B2B57 mov eax, dword ptr fs:[00000030h] 8_2_016B2B57
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B2B57 mov eax, dword ptr fs:[00000030h] 8_2_016B2B57
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160EB20 mov eax, dword ptr fs:[00000030h] 8_2_0160EB20
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160EB20 mov eax, dword ptr fs:[00000030h] 8_2_0160EB20
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A8B28 mov eax, dword ptr fs:[00000030h] 8_2_016A8B28
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016A8B28 mov eax, dword ptr fs:[00000030h] 8_2_016A8B28
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_016B4B00 mov eax, dword ptr fs:[00000030h] 8_2_016B4B00
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h] 8_2_0165EB1D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h] 8_2_0165EB1D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h] 8_2_0165EB1D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h] 8_2_0165EB1D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h] 8_2_0165EB1D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h] 8_2_0165EB1D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h] 8_2_0165EB1D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h] 8_2_0165EB1D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165EB1D mov eax, dword ptr fs:[00000030h] 8_2_0165EB1D
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E0BCD mov eax, dword ptr fs:[00000030h] 8_2_015E0BCD
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E0BCD mov eax, dword ptr fs:[00000030h] 8_2_015E0BCD
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E0BCD mov eax, dword ptr fs:[00000030h] 8_2_015E0BCD
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166CBF0 mov eax, dword ptr fs:[00000030h] 8_2_0166CBF0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160EBFC mov eax, dword ptr fs:[00000030h] 8_2_0160EBFC
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01600BCB mov eax, dword ptr fs:[00000030h] 8_2_01600BCB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01600BCB mov eax, dword ptr fs:[00000030h] 8_2_01600BCB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01600BCB mov eax, dword ptr fs:[00000030h] 8_2_01600BCB
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E8BF0 mov eax, dword ptr fs:[00000030h] 8_2_015E8BF0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E8BF0 mov eax, dword ptr fs:[00000030h] 8_2_015E8BF0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E8BF0 mov eax, dword ptr fs:[00000030h] 8_2_015E8BF0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168EBD0 mov eax, dword ptr fs:[00000030h] 8_2_0168EBD0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01694BB0 mov eax, dword ptr fs:[00000030h] 8_2_01694BB0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01694BB0 mov eax, dword ptr fs:[00000030h] 8_2_01694BB0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0BBE mov eax, dword ptr fs:[00000030h] 8_2_015F0BBE
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0BBE mov eax, dword ptr fs:[00000030h] 8_2_015F0BBE
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0A5B mov eax, dword ptr fs:[00000030h] 8_2_015F0A5B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015F0A5B mov eax, dword ptr fs:[00000030h] 8_2_015F0A5B
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0168EA60 mov eax, dword ptr fs:[00000030h] 8_2_0168EA60
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161CA6F mov eax, dword ptr fs:[00000030h] 8_2_0161CA6F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161CA6F mov eax, dword ptr fs:[00000030h] 8_2_0161CA6F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161CA6F mov eax, dword ptr fs:[00000030h] 8_2_0161CA6F
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h] 8_2_015E6A50
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h] 8_2_015E6A50
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h] 8_2_015E6A50
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h] 8_2_015E6A50
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h] 8_2_015E6A50
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h] 8_2_015E6A50
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E6A50 mov eax, dword ptr fs:[00000030h] 8_2_015E6A50
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165CA72 mov eax, dword ptr fs:[00000030h] 8_2_0165CA72
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0165CA72 mov eax, dword ptr fs:[00000030h] 8_2_0165CA72
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161CA24 mov eax, dword ptr fs:[00000030h] 8_2_0161CA24
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0160EA2E mov eax, dword ptr fs:[00000030h] 8_2_0160EA2E
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01604A35 mov eax, dword ptr fs:[00000030h] 8_2_01604A35
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01604A35 mov eax, dword ptr fs:[00000030h] 8_2_01604A35
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161CA38 mov eax, dword ptr fs:[00000030h] 8_2_0161CA38
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0166CA11 mov eax, dword ptr fs:[00000030h] 8_2_0166CA11
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015E0AD0 mov eax, dword ptr fs:[00000030h] 8_2_015E0AD0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161AAEE mov eax, dword ptr fs:[00000030h] 8_2_0161AAEE
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_0161AAEE mov eax, dword ptr fs:[00000030h] 8_2_0161AAEE
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01636ACC mov eax, dword ptr fs:[00000030h] 8_2_01636ACC
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01636ACC mov eax, dword ptr fs:[00000030h] 8_2_01636ACC
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01636ACC mov eax, dword ptr fs:[00000030h] 8_2_01636ACC
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01614AD0 mov eax, dword ptr fs:[00000030h] 8_2_01614AD0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01614AD0 mov eax, dword ptr fs:[00000030h] 8_2_01614AD0
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_01636AA4 mov eax, dword ptr fs:[00000030h] 8_2_01636AA4
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EEA80 mov eax, dword ptr fs:[00000030h] 8_2_015EEA80
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Code function: 8_2_015EEA80 mov eax, dword ptr fs:[00000030h] 8_2_015EEA80
Enables debug privileges
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe"
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe"
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Memory written: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Memory written: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp7D3C.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Process created: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe "C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OyXCaSLaAXfAKx" /XML "C:\Users\user\AppData\Local\Temp\tmp9633.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Process created: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe "C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Queries volume information: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\OyXCaSLaAXfAKx.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice D 0024679526 3930.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2051506535.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Payment Advice D 0024679526 3930.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2050695682.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2051506535.00000000014C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562305 Sample: Payment Advice D 0024679526... Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 44 Antivirus / Scanner detection for submitted sample 2->44 46 Sigma detected: Scheduled temp file as task from temp location 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 9 other signatures 2->50 7 Payment Advice D 0024679526 3930.exe 7 2->7         started        11 OyXCaSLaAXfAKx.exe 5 2->11         started        process3 file4 36 C:\Users\user\AppData\...\OyXCaSLaAXfAKx.exe, PE32 7->36 dropped 38 C:\...\OyXCaSLaAXfAKx.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp7D3C.tmp, XML 7->40 dropped 42 Payment Advice D 0024679526 3930.exe.log, ASCII 7->42 dropped 52 Adds a directory exclusion to Windows Defender 7->52 54 Injects a PE file into a foreign processes 7->54 13 powershell.exe 23 7->13         started        16 powershell.exe 23 7->16         started        18 schtasks.exe 1 7->18         started        20 Payment Advice D 0024679526 3930.exe 7->20         started        56 Antivirus detection for dropped file 11->56 58 Multi AV Scanner detection for dropped file 11->58 60 Machine Learning detection for dropped file 11->60 22 schtasks.exe 1 11->22         started        24 OyXCaSLaAXfAKx.exe 11->24         started        signatures5 process6 signatures7 62 Loading BitLocker PowerShell Module 13->62 26 WmiPrvSE.exe 13->26         started        28 conhost.exe 13->28         started        30 conhost.exe 16->30         started        32 conhost.exe 18->32         started        34 conhost.exe 22->34         started        process8
No contacted IP infos

Contacted Domains

Name IP Active
fp2e7a.wpc.phicdn.net 192.229.221.95 true