Windows Analysis Report
Payment Advice.exe

Overview

General Information

Sample name: Payment Advice.exe
Analysis ID: 1428252
MD5: f060b9400a263bea044a7789ec1d85d9
SHA1: 3e939ea522e4356fbdc15c7e0119366a6369e0c9
SHA256: 921ace6c0f27813fa370b65bcaee79824a4e31920dbdfec7652103c60e84cd23
Tags: AgentTeslaexePayment
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 20.2.BjTxJte.exe.3d1f480.2.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.seawaysfreight-bd.com", "Username": "samsuddin@seawaysfreight-bd.com", "Password": "36@SaM%sFl#"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: Payment Advice.exe ReversingLabs: Detection: 39%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Payment Advice.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Payment Advice.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: Payment Advice.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 4x nop then jmp 06EE4434h 14_2_06EE3E4A
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49738 -> 94.100.26.91:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 94.100.26.91 94.100.26.91
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49738 -> 94.100.26.91:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: Payment Advice.exe, BjTxJte.exe.8.dr, sFPEKzHsLkYZIz.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Payment Advice.exe, BjTxJte.exe.8.dr, sFPEKzHsLkYZIz.exe.0.dr String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.000000000309A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4124167230.000000000292B000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.000000000318E000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.000000000309A000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.4125631218.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.4125631218.0000000002FF8000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.4125631218.0000000003247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.seawaysfreight-bd.com
Source: Payment Advice.exe, BjTxJte.exe.8.dr, sFPEKzHsLkYZIz.exe.0.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: Payment Advice.exe, 00000008.00000002.4119763177.000000000101B000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4171500763.0000000006662000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4169183072.0000000006260000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.000000000309A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4169183072.0000000006281000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4119763177.000000000103D000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002D64000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4124167230.000000000292B000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4195658580.0000000009210000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4195658580.0000000009225000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4116736214.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4116736214.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.000000000309A000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/09
Source: Payment Advice.exe, 00000008.00000002.4119763177.000000000101B000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4171500763.0000000006662000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4169183072.0000000006260000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.000000000309A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4169183072.0000000006281000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4119763177.000000000103D000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002D64000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4124167230.000000000292B000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4195658580.0000000009210000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4195658580.0000000009225000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4116736214.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4116736214.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.000000000309A000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: Payment Advice.exe, 00000000.00000002.1710843743.000000000318F000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 00000009.00000002.1756192021.000000000336F000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4124167230.0000000002891000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000000E.00000002.1849213275.00000000026CF000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.1931578848.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.4125631218.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.000000000309A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4124167230.000000000292B000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002E1E000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.000000000318E000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.000000000309A000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002E67000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.4125631218.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.4125631218.0000000002FF8000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.4125631218.0000000003247000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://seawaysfreight-bd.com
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Payment Advice.exe, 00000000.00000002.1718407994.0000000007262000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: Payment Advice.exe, 00000008.00000002.4119763177.000000000101B000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4171500763.0000000006662000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.000000000309A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4169183072.0000000006281000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4119763177.000000000103D000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002D64000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4124167230.000000000292B000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4195658580.0000000009210000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4195658580.0000000009225000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4116736214.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4116736214.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.000000000309A000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Payment Advice.exe, 00000008.00000002.4119763177.000000000101B000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4171500763.0000000006662000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.000000000309A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4169183072.0000000006281000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4119763177.000000000103D000.00000004.00000020.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002D64000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002ED7000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002FD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002D84000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4124167230.000000000292B000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4195658580.0000000009210000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4195658580.0000000009225000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4116736214.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4116736214.0000000000E74000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.000000000309A000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Payment Advice.exe, 00000000.00000002.1712393138.0000000004C49000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 00000009.00000002.1760226964.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4115682058.0000000000431000.00000040.00000400.00020000.00000000.sdmp, BjTxJte.exe, 0000000E.00000002.1852266538.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.1933792023.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Payment Advice.exe, 00000000.00000002.1712393138.0000000004C49000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000008.00000002.4124616083.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 00000009.00000002.1760226964.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4115682058.0000000000431000.00000040.00000400.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4124167230.0000000002891000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 0000000E.00000002.1852266538.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000014.00000002.1933792023.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000019.00000002.4125631218.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4124167230.0000000002891000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002D81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4124167230.0000000002891000.00000004.00000800.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4125579074.0000000002D81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: Payment Advice.exe, BjTxJte.exe.8.dr, sFPEKzHsLkYZIz.exe.0.dr String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, cPKWk.cs .Net Code: _9Y8jnYI
Source: 0.2.Payment Advice.exe.4c84a08.2.raw.unpack, cPKWk.cs .Net Code: _9Y8jnYI
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Payment Advice.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Payment Advice.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Payment Advice.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window created: window name: CLIPBRDWNDCLASS

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.Payment Advice.exe.4c84a08.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.sFPEKzHsLkYZIz.exe.4e65888.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.sFPEKzHsLkYZIz.exe.4e2a668.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.BjTxJte.exe.3ce4260.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment Advice.exe.4c497e8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.BjTxJte.exe.41c5ac8.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment Advice.exe.4c84a08.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.BjTxJte.exe.3d1f480.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.BjTxJte.exe.3d1f480.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.sFPEKzHsLkYZIz.exe.4e65888.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 14.2.BjTxJte.exe.41c5ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 20.2.BjTxJte.exe.3ce4260.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.sFPEKzHsLkYZIz.exe.4e2a668.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
.NET source code contains very large array initializations
Source: 0.2.Payment Advice.exe.8ec0000.8.raw.unpack, SQL.cs Large array initialization: : array initializer size 33608
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment Advice.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_05C8E070 0_2_05C8E070
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_05C8E8F8 0_2_05C8E8F8
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_05C8D560 0_2_05C8D560
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_05C8EDC0 0_2_05C8EDC0
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A43A0 0_2_077A43A0
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A0040 0_2_077A0040
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A4088 0_2_077A4088
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A0EF0 0_2_077A0EF0
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A6560 0_2_077A6560
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077AF548 0_2_077AF548
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077AF538 0_2_077AF538
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077AA518 0_2_077AA518
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A8508 0_2_077A8508
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A5248 0_2_077A5248
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077AF110 0_2_077AF110
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A3008 0_2_077A3008
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A0007 0_2_077A0007
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A1DE0 0_2_077A1DE0
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A1DD0 0_2_077A1DD0
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077AECC8 0_2_077AECC8
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A2C98 0_2_077A2C98
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_00F841F8 8_2_00F841F8
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_00F84AC8 8_2_00F84AC8
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_00F8EB81 8_2_00F8EB81
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_00F8ADF8 8_2_00F8ADF8
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_00F83EB0 8_2_00F83EB0
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_00F81A43 8_2_00F81A43
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_068E6608 8_2_068E6608
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_068EB250 8_2_068EB250
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_068E3480 8_2_068E3480
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_068E0040 8_2_068E0040
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_068E7D90 8_2_068E7D90
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_068EC1B0 8_2_068EC1B0
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_068E55C0 8_2_068E55C0
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_068E76B0 8_2_068E76B0
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_068EE3D0 8_2_068EE3D0
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_068E5D10 8_2_068E5D10
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_00F541F8 13_2_00F541F8
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_00F54AC8 13_2_00F54AC8
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_00F5EB48 13_2_00F5EB48
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_00F5ADF8 13_2_00F5ADF8
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_00F53EB0 13_2_00F53EB0
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_06486600 13_2_06486600
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_06483478 13_2_06483478
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_06487D88 13_2_06487D88
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_064855B8 13_2_064855B8
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_0648B238 13_2_0648B238
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_0648C1A8 13_2_0648C1A8
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_064876A8 13_2_064876A8
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_06482752 13_2_06482752
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_06485CF7 13_2_06485CF7
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_0648E3C8 13_2_0648E3C8
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_06480040 13_2_06480040
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_06480006 13_2_06480006
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_02272D90 14_2_02272D90
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_022728C8 14_2_022728C8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A543A0 14_2_06A543A0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A54088 14_2_06A54088
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A50040 14_2_06A50040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A50EF0 14_2_06A50EF0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A5F538 14_2_06A5F538
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A58502 14_2_06A58502
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A58508 14_2_06A58508
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A56560 14_2_06A56560
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A5857F 14_2_06A5857F
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A5F548 14_2_06A5F548
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A56550 14_2_06A56550
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A53240 14_2_06A53240
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A54391 14_2_06A54391
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A50007 14_2_06A50007
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A53008 14_2_06A53008
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A54078 14_2_06A54078
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A5F110 14_2_06A5F110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A50E9B 14_2_06A50E9B
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A52FF8 14_2_06A52FF8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A52C89 14_2_06A52C89
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A52C98 14_2_06A52C98
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A5ECC8 14_2_06A5ECC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A51DE0 14_2_06A51DE0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A51DD9 14_2_06A51DD9
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06EE06C9 14_2_06EE06C9
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06EE06D8 14_2_06EE06D8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06EE02A0 14_2_06EE02A0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_012F41F8 19_2_012F41F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_012F4AC8 19_2_012F4AC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_012FAD8B 19_2_012FAD8B
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_012F3EB0 19_2_012F3EB0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_06826608 19_2_06826608
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_06823480 19_2_06823480
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_06827D90 19_2_06827D90
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_068255C0 19_2_068255C0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_0682B32E 19_2_0682B32E
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_0682C1B0 19_2_0682C1B0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_068276B0 19_2_068276B0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_06825CFF 19_2_06825CFF
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_0682E3D0 19_2_0682E3D0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_06820040 19_2_06820040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_06911DB8 19_2_06911DB8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_06911DC8 19_2_06911DC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_06820033 19_2_06820033
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_012E28C8 20_2_012E28C8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_0534E070 20_2_0534E070
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_0534E986 20_2_0534E986
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_0534D550 20_2_0534D550
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_0534E042 20_2_0534E042
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_0534ED58 20_2_0534ED58
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_0534EDD3 20_2_0534EDD3
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_0117EA70 25_2_0117EA70
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_0117ACD8 25_2_0117ACD8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_011741F8 25_2_011741F8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_0117A510 25_2_0117A510
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_01174AC8 25_2_01174AC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_01173EB0 25_2_01173EB0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06896608 25_2_06896608
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_0689B32E 25_2_0689B32E
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06893480 25_2_06893480
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06897D90 25_2_06897D90
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_0689C1B0 25_2_0689C1B0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_068955C0 25_2_068955C0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_068976B0 25_2_068976B0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_0689E3D0 25_2_0689E3D0
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06890040 25_2_06890040
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06895D10 25_2_06895D10
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06981DC8 25_2_06981DC8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_06981DC3 25_2_06981DC3
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_0689003E 25_2_0689003E
PE / OLE file has an invalid certificate
Source: Payment Advice.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Payment Advice.exe, 00000000.00000002.1706697674.000000000129E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Payment Advice.exe
Source: Payment Advice.exe, 00000000.00000002.1710843743.00000000031E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename935d4343-3e00-439b-b10a-ff974a5f8529.exe4 vs Payment Advice.exe
Source: Payment Advice.exe, 00000000.00000000.1645353775.0000000000AB8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameLtIh.exe< vs Payment Advice.exe
Source: Payment Advice.exe, 00000000.00000002.1720871520.000000000B470000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Payment Advice.exe
Source: Payment Advice.exe, 00000000.00000002.1720188330.0000000008EC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Payment Advice.exe
Source: Payment Advice.exe, 00000000.00000002.1710843743.0000000002F01000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs Payment Advice.exe
Source: Payment Advice.exe, 00000000.00000002.1712393138.00000000048E6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Payment Advice.exe
Source: Payment Advice.exe, 00000000.00000002.1712393138.0000000004C49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename935d4343-3e00-439b-b10a-ff974a5f8529.exe4 vs Payment Advice.exe
Source: Payment Advice.exe, 00000008.00000002.4116527914.0000000000CF9000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment Advice.exe
Source: Payment Advice.exe Binary or memory string: OriginalFilenameLtIh.exe< vs Payment Advice.exe
Uses 32bit PE files
Source: Payment Advice.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.Payment Advice.exe.4c84a08.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.sFPEKzHsLkYZIz.exe.4e65888.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.sFPEKzHsLkYZIz.exe.4e2a668.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.BjTxJte.exe.3ce4260.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment Advice.exe.4c497e8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.BjTxJte.exe.41c5ac8.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment Advice.exe.4c84a08.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.BjTxJte.exe.3d1f480.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.BjTxJte.exe.3d1f480.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.sFPEKzHsLkYZIz.exe.4e65888.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 14.2.BjTxJte.exe.41c5ac8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 20.2.BjTxJte.exe.3ce4260.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.sFPEKzHsLkYZIz.exe.4e2a668.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: Payment Advice.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: sFPEKzHsLkYZIz.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, k8kSUDwarKJEU7Xa30.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, g45rfxMhkEpawBNuWE.cs Security API names: _0020.SetAccessControl
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, g45rfxMhkEpawBNuWE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, g45rfxMhkEpawBNuWE.cs Security API names: _0020.AddAccessRule
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, k8kSUDwarKJEU7Xa30.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, g45rfxMhkEpawBNuWE.cs Security API names: _0020.SetAccessControl
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, g45rfxMhkEpawBNuWE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, g45rfxMhkEpawBNuWE.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@33/20@2/2
Source: C:\Users\user\Desktop\Payment Advice.exe File created: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Mutant created: \Sessions\1\BaseNamedObjects\ulmOXmclEpqFJLBfFWotANyak
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6816:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7216:120:WilError_03
Source: C:\Users\user\Desktop\Payment Advice.exe File created: C:\Users\user\AppData\Local\Temp\tmp6619.tmp Jump to behavior
Source: Payment Advice.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Payment Advice.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Payment Advice.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\Desktop\Payment Advice.exe File read: C:\Users\user\Desktop\Payment Advice.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmp6619.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmp7ACA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process created: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe "C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmpA082.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmp6619.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmp7ACA.tmp"
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process created: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe "C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmpA082.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\Payment Advice.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Payment Advice.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Payment Advice.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Payment Advice.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: Payment Advice.exe, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: sFPEKzHsLkYZIz.exe.0.dr, Form1.cs .Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment Advice.exe.8ec0000.8.raw.unpack, SQL.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, g45rfxMhkEpawBNuWE.cs .Net Code: wPfj1ZW3Ew System.Reflection.Assembly.Load(byte[])
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, g45rfxMhkEpawBNuWE.cs .Net Code: wPfj1ZW3Ew System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_01493AD9 push ebx; retf 0_2_01493ADA
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_05C870C8 pushad ; ret 0_2_05C870D1
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_05C8C207 pushad ; ret 0_2_05C8C20A
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A0947 pushad ; retf 0_2_077A0948
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 0_2_077A093D pushad ; retf 0_2_077A093E
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_00F8B257 push 8BFFFFF7h; ret 8_2_00F8B25D
Source: C:\Users\user\Desktop\Payment Advice.exe Code function: 8_2_00F80C3D push edi; ret 8_2_00F80CC2
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 9_2_030B3314 pushfd ; iretd 9_2_030B3351
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 9_2_030B3352 pushfd ; iretd 9_2_030B3351
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 9_2_030B369B push ebx; iretd 9_2_030B36DA
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 9_2_030B3AD9 push ebx; retf 9_2_030B3ADA
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_00F5B257 push 8BFFFFF7h; ret 13_2_00F5B25D
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Code function: 13_2_00F50C3D push edi; ret 13_2_00F50CC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_0227334D pushfd ; iretd 14_2_02273351
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_022736D3 push ebx; iretd 14_2_022736DA
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_02273AD9 push ebx; retf 14_2_02273ADA
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A50E9B push es; retf 14_2_06A50EB8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A50E00 push es; retf 14_2_06A50E68
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A50E00 push es; retf 14_2_06A50EB8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A50E69 push es; retf 14_2_06A50EB8
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A5093D pushad ; retf 14_2_06A5093E
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06A50947 pushad ; retf 14_2_06A50948
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 14_2_06EE7147 push dword ptr [edx+ebp*2-75h]; iretd 14_2_06EE7157
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_012F0C3D push edi; ret 19_2_012F0CC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_06916F81 push es; ret 19_2_06916F90
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 19_2_06911658 push cs; retf 19_2_0691165B
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_053470C8 pushad ; ret 20_2_053470D1
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_0534C207 pushad ; ret 20_2_0534C20A
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 20_2_0534DB32 push esi; retf 20_2_0534DB33
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_01170B4D push edi; ret 25_2_01170CC2
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Code function: 25_2_01170C95 push edi; retf 25_2_01170C3A
Source: Payment Advice.exe Static PE information: section name: .text entropy: 7.9742405595701085
Source: sFPEKzHsLkYZIz.exe.0.dr Static PE information: section name: .text entropy: 7.9742405595701085
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, aBMIJsI2GFRlsegvHA.cs High entropy of concatenated method names: 'jLwgRvxbS4', 'qtDgnhTgtc', 'SANgr2Ee97', 'pTZgNVKc7T', 'NgXgUheTv6', 'z4agKW03ii', 'rwcgdykN4B', 'llogtLOOOO', 'cuNgOAOhrv', 'aAYgTWvfo8'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, g45rfxMhkEpawBNuWE.cs High entropy of concatenated method names: 'yBKDYVWIhW', 'SJhDRJNBnS', 'NF2Dnigk2X', 'okVDrSXdd0', 'N0fDNXe9Xh', 'dfIDU7Sk7j', 'dX0DK1HM03', 'zVbDdPPkjF', 'O86DtmwZMw', 'RwPDOtR8YE'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, TSuJXh688KCvDRA8xS.cs High entropy of concatenated method names: 'ei3pKoIYfr', 'moCpdXr3Ju', 'O1CpOZBwDQ', 'RUrpTogNg1', 'WUGpJ7YNyd', 'bxVpwYleWS', 'kvoueXMOm5Q1SmlxXi', 'pYhjSI0urU5QYksA49', 'n5FppYHYrI', 'fL6pDlm01c'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, TfJtmBfwbVKTZLpqD3.cs High entropy of concatenated method names: 'cmAr0bSsRt', 'jb8rvNqRO3', 'RRCrMjmfw5', 'B2VrIZ2GEj', 'eLKrJ85HTQ', 'MaQrwqQAhW', 'qPtr5xBcwx', 'VkhrgGY6v5', 'VwVr7uORve', 'TTorijefRO'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, z3JXvXmmMR8LABifXF.cs High entropy of concatenated method names: 'MNe1UwKM8', 'D6N0kRAP7', 'n5Nv7Lvc4', 'DO2GxDV12', 'MefIijA26', 'PqUsMIlAE', 'TgxKcq6CEY0ShNRXym', 'MjV50ZBx5Zq2lxQjva', 'vKngh5OxF', 'KkYigsO3F'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, sOMv7bgiRmU007FApa.cs High entropy of concatenated method names: 'uxI7pdRerW', 'HS07DnctEt', 'sj97jh8vvR', 'gRd7Rxg9Vm', 'hkl7nmacGN', 'jYW7NTWrIn', 'Gmx7UlikXw', 'kyGgasyxi0', 'DkygcDjI6M', 'T4mgQ3hN3S'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, vMCUf22TOWfFJfIcQU.cs High entropy of concatenated method names: 'ToString', 'tpPwyaLUNI', 'bMAw3AS9yd', 'ndfwBIdFbJ', 'zOtwEA1J0w', 'SS3w2cgs2Y', 'Tdjw652ika', 'zOqwPuc6uh', 'eG8weVRuAx', 'H21wqdTjxY'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, k8kSUDwarKJEU7Xa30.cs High entropy of concatenated method names: 'cOinLdtRg7', 'N8Vn99vQp1', 't2JnXoI9PJ', 'F3LnkQnQYw', 'VI3nfVBOZx', 'aB5nVZh6tY', 'e6InaMotY4', 'S1ZncZOoVc', 'mdqnQYRYc0', 'Q9rnHsRZVk'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, nUo34hz6QsbQPWCtYV.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oZy7ZuOZdh', 'FWt7JYvoRg', 'wjl7wQmbUc', 'Xsr75Vv6EA', 'AFp7gSTXWF', 'QYV7726pVb', 'W4F7i0edYs'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, UpQHmstwEVKTgZGGgR.cs High entropy of concatenated method names: 'Gh0NS2uFRD', 'tWYNGuX9kt', 'UstrBb7lVZ', 'tkVrEhSfu4', 'rdsr27Em69', 'gmTr6YJNgn', 'h8ZrPeZPs8', 'UiJreXQnoS', 'Hv4rqxQpdc', 'XbGroxSHiR'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, Ex8GEybODp9w5PDMiRh.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kUfiLr5uGy', 'IPmi9u4sj5', 'mJMiXU84Nf', 'PWVikZ5nQa', 'IDuif2GqVH', 'zHqiV9myaw', 'Je0iauMVCy'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, Hv2PvdJu2lR4hIVvn9.cs High entropy of concatenated method names: 'iwLZMud7uP', 'RUdZInlfp1', 'IN2ZWbGKQc', 'U5MZ3DRTY8', 'RL6ZESwAmq', 'ad0Z2B80qB', 'cWCZPHbtEI', 'MV0ZeYUTBW', 'NPCZoscrYR', 'REqZyTb42W'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, xuq9NBsGj38hal6MpI.cs High entropy of concatenated method names: 'jwKJoN0f0d', 'LlpJu8rK3y', 'eZ1JLCAD8k', 'C3ZJ9mFGtU', 'UP7J3LBteg', 'GByJBpH2q4', 'ltdJE9TvBX', 'fULJ2gL56I', 'TQlJ6hldem', 'YylJPdQbbM'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, YyZUO9b5whwYWTkytbE.cs High entropy of concatenated method names: 'n7E7AN38Ju', 'AE47bDETub', 'n0d71JW0Gq', 'XH670cjHVD', 'EGk7SqTiL9', 'rXa7vlnPfG', 'x2P7GteEOf', 'lPA7MhYVP0', 'aFv7I5cZDZ', 'Gcb7scQDcK'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, NFWBpM4mPw4rlyE4h1.cs High entropy of concatenated method names: 'Dispose', 'lpEpQ1CnJM', 't5E43ZeSb2', 'VffCCYlVy8', 'jrmpHDpc1L', 'zTVpzdcr92', 'ProcessDialogKey', 'PgS4mecuej', 'hiE4pDjYxQ', 'LhM441QNTV'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, ts6Ukvnuhx7ka3epjf.cs High entropy of concatenated method names: 'GHOUY12Ajx', 'OF8UnsDkYr', 'jAVUNidD8v', 'BEcUKYphPP', 'WBDUdmyZq7', 'osFNfHstVe', 'y9BNVShpwK', 'y7LNavY12Y', 'tQXNcHHQEN', 'XOGNQci9Xv'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, TSrMHgQjhmviKA4M93.cs High entropy of concatenated method names: 'sGUgWoCEnA', 'ievg3O9Nrf', 'LjwgBGsBVp', 'SovgEiU8UR', 'So0gLsL5K4', 'xIVg2T2kpi', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, tkbEV7bmUUsmCjO133w.cs High entropy of concatenated method names: 'ExhiAtJOME', 'PC6ibDYElD', 'orqi112ZO4', 'MoOU4OH55avXSJHmnje', 'wef3TbH6JcQpvxPO8cu', 'cc2oJbHB9wjNZ4VtfLs', 'kcRKjkHleDArZJiy7SF'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, sF7EofuwR9Zd9VpvII.cs High entropy of concatenated method names: 'ontKRjRhsJ', 'o08KrFXwAs', 'p8nKUVLpdQ', 'Ef8UHHFFmC', 'eKUUzXSbZD', 'wqeKmgvEsT', 'XfVKp07PQi', 'F2lK4CwnMy', 'aAUKDRpAhP', 'nlYKjOTQIF'
Source: 0.2.Payment Advice.exe.4aeed50.4.raw.unpack, O1vH9MdC9n3P7LT7AU.cs High entropy of concatenated method names: 'zXnKAXlb9g', 'unNKbJfRrG', 'l3KK15klMu', 'NVgK0r2oib', 'A4bKSHd9B5', 'vXeKv8nqgu', 'ymBKGJwnDZ', 'rp9KMU3cT7', 'jP2KI85I6H', 'h58KsPiTvr'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, aBMIJsI2GFRlsegvHA.cs High entropy of concatenated method names: 'jLwgRvxbS4', 'qtDgnhTgtc', 'SANgr2Ee97', 'pTZgNVKc7T', 'NgXgUheTv6', 'z4agKW03ii', 'rwcgdykN4B', 'llogtLOOOO', 'cuNgOAOhrv', 'aAYgTWvfo8'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, g45rfxMhkEpawBNuWE.cs High entropy of concatenated method names: 'yBKDYVWIhW', 'SJhDRJNBnS', 'NF2Dnigk2X', 'okVDrSXdd0', 'N0fDNXe9Xh', 'dfIDU7Sk7j', 'dX0DK1HM03', 'zVbDdPPkjF', 'O86DtmwZMw', 'RwPDOtR8YE'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, TSuJXh688KCvDRA8xS.cs High entropy of concatenated method names: 'ei3pKoIYfr', 'moCpdXr3Ju', 'O1CpOZBwDQ', 'RUrpTogNg1', 'WUGpJ7YNyd', 'bxVpwYleWS', 'kvoueXMOm5Q1SmlxXi', 'pYhjSI0urU5QYksA49', 'n5FppYHYrI', 'fL6pDlm01c'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, TfJtmBfwbVKTZLpqD3.cs High entropy of concatenated method names: 'cmAr0bSsRt', 'jb8rvNqRO3', 'RRCrMjmfw5', 'B2VrIZ2GEj', 'eLKrJ85HTQ', 'MaQrwqQAhW', 'qPtr5xBcwx', 'VkhrgGY6v5', 'VwVr7uORve', 'TTorijefRO'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, z3JXvXmmMR8LABifXF.cs High entropy of concatenated method names: 'MNe1UwKM8', 'D6N0kRAP7', 'n5Nv7Lvc4', 'DO2GxDV12', 'MefIijA26', 'PqUsMIlAE', 'TgxKcq6CEY0ShNRXym', 'MjV50ZBx5Zq2lxQjva', 'vKngh5OxF', 'KkYigsO3F'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, sOMv7bgiRmU007FApa.cs High entropy of concatenated method names: 'uxI7pdRerW', 'HS07DnctEt', 'sj97jh8vvR', 'gRd7Rxg9Vm', 'hkl7nmacGN', 'jYW7NTWrIn', 'Gmx7UlikXw', 'kyGgasyxi0', 'DkygcDjI6M', 'T4mgQ3hN3S'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, vMCUf22TOWfFJfIcQU.cs High entropy of concatenated method names: 'ToString', 'tpPwyaLUNI', 'bMAw3AS9yd', 'ndfwBIdFbJ', 'zOtwEA1J0w', 'SS3w2cgs2Y', 'Tdjw652ika', 'zOqwPuc6uh', 'eG8weVRuAx', 'H21wqdTjxY'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, k8kSUDwarKJEU7Xa30.cs High entropy of concatenated method names: 'cOinLdtRg7', 'N8Vn99vQp1', 't2JnXoI9PJ', 'F3LnkQnQYw', 'VI3nfVBOZx', 'aB5nVZh6tY', 'e6InaMotY4', 'S1ZncZOoVc', 'mdqnQYRYc0', 'Q9rnHsRZVk'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, nUo34hz6QsbQPWCtYV.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oZy7ZuOZdh', 'FWt7JYvoRg', 'wjl7wQmbUc', 'Xsr75Vv6EA', 'AFp7gSTXWF', 'QYV7726pVb', 'W4F7i0edYs'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, UpQHmstwEVKTgZGGgR.cs High entropy of concatenated method names: 'Gh0NS2uFRD', 'tWYNGuX9kt', 'UstrBb7lVZ', 'tkVrEhSfu4', 'rdsr27Em69', 'gmTr6YJNgn', 'h8ZrPeZPs8', 'UiJreXQnoS', 'Hv4rqxQpdc', 'XbGroxSHiR'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, Ex8GEybODp9w5PDMiRh.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kUfiLr5uGy', 'IPmi9u4sj5', 'mJMiXU84Nf', 'PWVikZ5nQa', 'IDuif2GqVH', 'zHqiV9myaw', 'Je0iauMVCy'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, Hv2PvdJu2lR4hIVvn9.cs High entropy of concatenated method names: 'iwLZMud7uP', 'RUdZInlfp1', 'IN2ZWbGKQc', 'U5MZ3DRTY8', 'RL6ZESwAmq', 'ad0Z2B80qB', 'cWCZPHbtEI', 'MV0ZeYUTBW', 'NPCZoscrYR', 'REqZyTb42W'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, xuq9NBsGj38hal6MpI.cs High entropy of concatenated method names: 'jwKJoN0f0d', 'LlpJu8rK3y', 'eZ1JLCAD8k', 'C3ZJ9mFGtU', 'UP7J3LBteg', 'GByJBpH2q4', 'ltdJE9TvBX', 'fULJ2gL56I', 'TQlJ6hldem', 'YylJPdQbbM'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, YyZUO9b5whwYWTkytbE.cs High entropy of concatenated method names: 'n7E7AN38Ju', 'AE47bDETub', 'n0d71JW0Gq', 'XH670cjHVD', 'EGk7SqTiL9', 'rXa7vlnPfG', 'x2P7GteEOf', 'lPA7MhYVP0', 'aFv7I5cZDZ', 'Gcb7scQDcK'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, NFWBpM4mPw4rlyE4h1.cs High entropy of concatenated method names: 'Dispose', 'lpEpQ1CnJM', 't5E43ZeSb2', 'VffCCYlVy8', 'jrmpHDpc1L', 'zTVpzdcr92', 'ProcessDialogKey', 'PgS4mecuej', 'hiE4pDjYxQ', 'LhM441QNTV'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, ts6Ukvnuhx7ka3epjf.cs High entropy of concatenated method names: 'GHOUY12Ajx', 'OF8UnsDkYr', 'jAVUNidD8v', 'BEcUKYphPP', 'WBDUdmyZq7', 'osFNfHstVe', 'y9BNVShpwK', 'y7LNavY12Y', 'tQXNcHHQEN', 'XOGNQci9Xv'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, TSrMHgQjhmviKA4M93.cs High entropy of concatenated method names: 'sGUgWoCEnA', 'ievg3O9Nrf', 'LjwgBGsBVp', 'SovgEiU8UR', 'So0gLsL5K4', 'xIVg2T2kpi', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, tkbEV7bmUUsmCjO133w.cs High entropy of concatenated method names: 'ExhiAtJOME', 'PC6ibDYElD', 'orqi112ZO4', 'MoOU4OH55avXSJHmnje', 'wef3TbH6JcQpvxPO8cu', 'cc2oJbHB9wjNZ4VtfLs', 'kcRKjkHleDArZJiy7SF'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, sF7EofuwR9Zd9VpvII.cs High entropy of concatenated method names: 'ontKRjRhsJ', 'o08KrFXwAs', 'p8nKUVLpdQ', 'Ef8UHHFFmC', 'eKUUzXSbZD', 'wqeKmgvEsT', 'XfVKp07PQi', 'F2lK4CwnMy', 'aAUKDRpAhP', 'nlYKjOTQIF'
Source: 0.2.Payment Advice.exe.b470000.9.raw.unpack, O1vH9MdC9n3P7LT7AU.cs High entropy of concatenated method names: 'zXnKAXlb9g', 'unNKbJfRrG', 'l3KK15klMu', 'NVgK0r2oib', 'A4bKSHd9B5', 'vXeKv8nqgu', 'ymBKGJwnDZ', 'rp9KMU3cT7', 'jP2KI85I6H', 'h58KsPiTvr'
Drops PE files
Source: C:\Users\user\Desktop\Payment Advice.exe File created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Jump to dropped file
Source: C:\Users\user\Desktop\Payment Advice.exe File created: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmp6619.tmp"
Source: C:\Users\user\Desktop\Payment Advice.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BjTxJte Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run BjTxJte Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Payment Advice.exe File opened: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe File opened: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe:Zone.Identifier read attributes | delete
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Payment Advice.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Payment Advice.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sFPEKzHsLkYZIz.exe PID: 7524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7492, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: 1240000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: 2F00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: 2E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: 8EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: 78F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: 9EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: AEE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: B4F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: C4F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: D4F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: 2CE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: 2AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: 3070000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: 30E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: 50E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: 8ED0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: 7870000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: 9ED0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: AED0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: B430000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: C430000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: D430000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: F50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: 2890000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Memory allocated: 4890000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 820000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2440000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2390000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 8180000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 6BA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 9180000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: A180000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: A780000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: B780000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: C780000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 1190000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2D80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 1310000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 1170000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2C70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2AA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 88C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 7360000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 98C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: A8C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: AEB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 88C0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 1130000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2D50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory allocated: 2B80000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199958
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199719
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4187 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5963 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 845 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Window / User API: threadDelayed 5328 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Window / User API: threadDelayed 4516 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Window / User API: threadDelayed 2012
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Window / User API: threadDelayed 7837
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 6232
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 3615
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 3599
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Window / User API: threadDelayed 6220
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 6772 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7432 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7332 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7496 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -34126476536362649s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -99766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -99653s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -99530s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -99312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -99201s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -99049s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -98922s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -98812s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -98703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -98594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -98484s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -98375s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -98266s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -98156s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -98044s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -97937s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -97828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -97714s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -97559s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -97453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -97332s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -97203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -97093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -96984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -96874s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -96766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -96641s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -96531s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -96421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -96312s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -96203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -96094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -95984s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -95875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -95766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -95656s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -95547s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -95437s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -95328s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -95219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -95109s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -95000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -94891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -94781s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -94672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -94562s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -94453s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe TID: 7604 Thread sleep time: -94344s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7616 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7916 Thread sleep count: 2012 > 30
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7916 Thread sleep count: 7837 > 30
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -99545s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -98996s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -98780s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -98671s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -98453s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -98343s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -98234s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -98117s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -98015s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -97906s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -97796s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -97687s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -97578s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -97466s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -97249s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -97139s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -97030s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -96921s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -96812s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -96702s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -96593s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -96484s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -96374s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -96265s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -96156s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -96044s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -95937s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -95812s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -93076s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -92965s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -92858s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -92744s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -92640s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -92530s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -92421s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -92292s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -92148s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -92035s >= -30000s
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe TID: 7912 Thread sleep time: -91912s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7980 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -36893488147419080s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -99827s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -99718s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -99609s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -99498s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -99390s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -99281s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -99172s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -99062s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -98953s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -98844s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -98734s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -98624s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -98515s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -98296s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -98186s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -98078s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -97968s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -97859s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -97749s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -97640s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -97531s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -97421s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -97312s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -97093s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -96984s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -96875s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -96765s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -96655s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -96547s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -96437s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -96328s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -96218s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -96109s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -96000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -95890s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -95779s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -95672s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -95562s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -95453s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -95343s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -95234s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -95125s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -95015s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -94906s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -94797s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -94687s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7244 Thread sleep time: -94578s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7356 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 5752 Thread sleep count: 3599 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -99874s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 5752 Thread sleep count: 6220 > 30
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -99547s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -99438s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -99078s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -98969s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -98844s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -98735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -98610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -98485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -98360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -98235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -98110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -97985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -97860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -97735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -97610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -97485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -97360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -97235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -97110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -96985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -96860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -96735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -96610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -96485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -96360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -96235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -96110s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -95985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -95860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -95735s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -95610s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -95485s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -95360s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -95235s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -95113s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -94985s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -94860s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -94619s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -94516s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -94406s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -94268s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -1199958s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -1199828s >= -30000s
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe TID: 7876 Thread sleep time: -1199719s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 99766 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 99653 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 99530 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 99312 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 99201 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 99049 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 98922 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 98812 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 98703 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 98594 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 98484 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 98375 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 98266 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 98156 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 98044 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 97937 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 97828 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 97714 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 97559 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 97453 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 97332 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 97203 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 97093 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 96984 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 96874 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 96766 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 96641 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 96531 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 96421 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 96312 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 96203 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 96094 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 95984 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 95875 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 95766 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 95656 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 95547 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 95437 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 95328 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 95219 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 95109 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 95000 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 94891 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 94781 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 94672 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 94562 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 94453 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Thread delayed: delay time: 94344 Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 99765
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 99545
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 99437
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 99328
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 99218
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 99109
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 98996
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 98890
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 98780
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 98671
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 98562
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 98453
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 98343
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 98234
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 98117
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 98015
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 97906
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 97796
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 97687
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 97578
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 97466
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 97359
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 97249
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 97139
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 97030
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 96921
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 96812
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 96702
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 96593
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 96484
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 96374
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 96265
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 96156
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 96044
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 95937
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 95812
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 93076
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 92965
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 92858
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 92744
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 92640
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 92530
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 92421
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 92292
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 92148
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 92035
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Thread delayed: delay time: 91912
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99827
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99718
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99609
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99498
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99390
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99281
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99172
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99062
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98953
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98844
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98734
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98624
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98515
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98406
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98296
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98186
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98078
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97968
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97859
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97749
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97640
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97531
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97421
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97312
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97203
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97093
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96984
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96875
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96765
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96655
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96547
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96437
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96328
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96218
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96109
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95890
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95779
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95672
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95562
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95453
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95343
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95234
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95125
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95015
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94906
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94797
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94687
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94578
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 100000
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99874
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99766
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99656
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99547
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99438
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99313
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99188
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 99078
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98969
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98844
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 98110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 97110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 96110
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95735
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95610
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95485
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95360
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95235
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 95113
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94985
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94860
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94619
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94516
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94406
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 94268
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199958
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199828
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Thread delayed: delay time: 1199719
Source: BjTxJte.exe, 0000000E.00000002.1848048895.0000000000872000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\l
Source: BjTxJte.exe, 00000014.00000002.1936987872.0000000005500000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: BjTxJte.exe, 0000000E.00000002.1848048895.0000000000872000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: sFPEKzHsLkYZIz.exe, 00000009.00000002.1754542531.000000000152E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8
Source: BjTxJte.exe, 00000019.00000002.4119037268.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: Payment Advice.exe, 00000000.00000002.1706697674.00000000012D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:L
Source: Payment Advice.exe, 00000008.00000002.4119763177.000000000103D000.00000004.00000020.00020000.00000000.sdmp, sFPEKzHsLkYZIz.exe, 0000000D.00000002.4118934244.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, BjTxJte.exe, 00000013.00000002.4116736214.0000000000E74000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Payment Advice.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\Payment Advice.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe"
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe" Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Memory written: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe base: 400000 value starts with: 4D5A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmp6619.tmp" Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Process created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmp7ACA.tmp"
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Process created: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe "C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmpA082.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sFPEKzHsLkYZIz" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp"
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Process created: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe "C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe"
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002D75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q3<b>[ Program Manager]</b> (18/04/2024 23:53:25)<br>
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002D75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002D75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLR^q
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002D84000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: @\^qDTime: 05/14/2024 14:57:48<br>User Name: user<br>Computer Name: 642294<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 81.181.57.52<br><hr><b>[ Program Manager]</b> (18/04/2024 23:53:25)<br>{Win}r
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002D84000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Time: 05/14/2024 14:57:48<br>User Name: user<br>Computer Name: 642294<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 81.181.57.52<br><hr><b>[ Program Manager]</b> (18/04/2024 23:53:25)<br>{Win}r
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 181.57.52<br><hr><b>[ Program Manager]</b> (18/04/2024 23:53:25)<=
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002D75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q9<b>[ Program Manager]</b> (18/04/2024 23:53:25)<br>{Win}rTHcq`
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002D84000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Time: 05/14/2024 14:57:48<br>User Name: user<br>Computer Name: 642294<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 81.181.57.52<br><hr><b>[ Program Manager]</b> (18/04/2024 23:53:25)<br>{Win}rTe^qdI
Source: Payment Advice.exe, 00000008.00000002.4124616083.0000000002D75000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q8<b>[ Program Manager]</b> (18/04/2024 23:53:25)<br>{Win}THcq`
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Users\user\Desktop\Payment Advice.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Users\user\Desktop\Payment Advice.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Payment Advice.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Payment Advice.exe.4c84a08.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e65888.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e2a668.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3ce4260.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice.exe.4c497e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.41c5ac8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice.exe.4c84a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3d1f480.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3d1f480.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e65888.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.41c5ac8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3ce4260.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e2a668.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4124616083.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4124167230.000000000292B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1852266538.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4124616083.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4124167230.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1933792023.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.4125579074.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4124616083.0000000002D64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1760226964.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4115682058.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.4125631218.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.4125579074.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1712393138.0000000004C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment Advice.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sFPEKzHsLkYZIz.exe PID: 7524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sFPEKzHsLkYZIz.exe PID: 7816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 6576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 4092, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Payment Advice.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Payment Advice.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\sFPEKzHsLkYZIz.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\AppData\Roaming\BjTxJte\BjTxJte.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.Payment Advice.exe.4c84a08.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e65888.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e2a668.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3ce4260.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice.exe.4c497e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.41c5ac8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice.exe.4c84a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3d1f480.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3d1f480.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e65888.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.41c5ac8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3ce4260.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e2a668.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.1852266538.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4124616083.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4124167230.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1933792023.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.4125579074.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1760226964.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4115682058.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.4125631218.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1712393138.0000000004C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment Advice.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sFPEKzHsLkYZIz.exe PID: 7524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sFPEKzHsLkYZIz.exe PID: 7816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 6576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 4092, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Payment Advice.exe.4c84a08.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e65888.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e2a668.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3ce4260.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice.exe.4c497e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.41c5ac8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice.exe.4c84a08.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3d1f480.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3d1f480.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e65888.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Payment Advice.exe.4c497e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.BjTxJte.exe.41c5ac8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.BjTxJte.exe.3ce4260.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.sFPEKzHsLkYZIz.exe.4e2a668.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4124616083.0000000002D5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4124167230.000000000292B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1852266538.00000000041C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4124616083.0000000002D31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4124167230.00000000028E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1933792023.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.4125579074.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4124616083.0000000002D64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1760226964.0000000004E2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.4115682058.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.4125631218.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.4125579074.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1712393138.0000000004C49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice.exe PID: 6700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Payment Advice.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sFPEKzHsLkYZIz.exe PID: 7524, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sFPEKzHsLkYZIz.exe PID: 7816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 6576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 7492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: BjTxJte.exe PID: 4092, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428252 Sample: Payment Advice.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 61 mail.seawaysfreight-bd.com 2->61 63 seawaysfreight-bd.com 2->63 65 api.ipify.org 2->65 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 12 other signatures 2->77 8 Payment Advice.exe 7 2->8         started        12 BjTxJte.exe 2->12         started        14 sFPEKzHsLkYZIz.exe 2->14         started        16 BjTxJte.exe 2->16         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\sFPEKzHsLkYZIz.exe, PE32 8->57 dropped 59 C:\Users\user\AppData\Local\...\tmp6619.tmp, XML 8->59 dropped 93 Adds a directory exclusion to Windows Defender 8->93 18 Payment Advice.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        35 2 other processes 8->35 95 Multi AV Scanner detection for dropped file 12->95 97 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->97 99 Machine Learning detection for dropped file 12->99 101 Injects a PE file into a foreign processes 12->101 25 BjTxJte.exe 12->25         started        37 2 other processes 12->37 27 sFPEKzHsLkYZIz.exe 14->27         started        29 schtasks.exe 14->29         started        31 BjTxJte.exe 16->31         started        33 schtasks.exe 16->33         started        signatures6 process7 dnsIp8 67 seawaysfreight-bd.com 94.100.26.91, 49738, 49740, 49747 HVC-ASUS Netherlands 18->67 69 api.ipify.org 104.26.13.205, 443, 49735, 49739 CLOUDFLARENETUS United States 18->69 53 C:\Users\user\AppData\Roaming\...\BjTxJte.exe, PE32 18->53 dropped 55 C:\Users\user\...\BjTxJte.exe:Zone.Identifier, ASCII 18->55 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->79 81 Tries to steal Mail credentials (via file / registry access) 18->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->83 85 Loading BitLocker PowerShell Module 23->85 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        43 conhost.exe 29->43         started        87 Tries to harvest and steal ftp login credentials 31->87 89 Tries to harvest and steal browser information (history, passwords, etc) 31->89 91 Installs a global keyboard hook 31->91 45 conhost.exe 33->45         started        47 conhost.exe 35->47         started        49 conhost.exe 35->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false
94.100.26.91
 seawaysfreight-bd.com Netherlands
29802 HVC-ASUS false

Contacted Domains

Name IP Active
seawaysfreight-bd.com 94.100.26.91 true
api.ipify.org 104.26.13.205 true
mail.seawaysfreight-bd.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high