Analysis Report PaymentAdvice.exe

Overview

General Information

Sample Name: PaymentAdvice.exe
Analysis ID: 383926
MD5: 91937d3f9e93657c18129ff519b7f340
SHA1: d9acfebf2120d984d76bdf883094707305897691
SHA256: 397fd95899f186c1385818c6b996f4cb410e266a84b2c134104d01675a822e27
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.saturnkorp.net/c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4m Avira URL Cloud: Label: malware
Source: http://www.abolishlawinforcement.com/c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m Avira URL Cloud: Label: malware
Source: www.saturnkorp.net/c22b/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.saturnkorp.net/c22b/"], "decoy": ["westendjanakpuri.com", "sylvianicolades.com", "xhvai.com", "vitalinfusionofarizona.com", "orangeecho.com", "middletonyork.net", "nature-powered.com", "securemanchester.com", "hispanicalinguablog.com", "vtz6whu5254xb1.xyz", "forceshutdown.com", "apointlessspace.net", "wildsoulsport.com", "baa-bee.com", "unmanglement.com", "njtiy.com", "misery-indexrain.com", "buybox.guru", "abolishlawinforcement.com", "healthforherraleigh.clinic", "merakart.com", "thetrentproject.com", "tobaccoroadinvitational.com", "sgdivergence.com", "skmoil.com", "bornforbetterthings.com", "tianyulian.com", "pwjol.com", "roab.store", "thebellabloom.com", "innerpeacehabits.com", "curtex.info", "worshipher.net", "puebloregentseniorliving.com", "profoundai.net", "yupinduoge.com", "draftsofsilence.com", "plataformaporelmarcanario.com", "grandrapidshemorrhoidclinic.com", "crossfut.net", "cobourgautoglass.com", "whowetrust.com", "anchor-little.com", "antiqollection.com", "wvregistration.com", "droplites.com", "creditiscrucial.com", "simdikikitap.com", "deltaeleveight.com", "webinast.com", "brandschutzglas.com", "brightsidebeans.com", "weatherdekniagara.com", "dajiangzhibo12.com", "transporteyflete.com", "dulzdude.com", "tmancar.com", "tristatecandlesupply.net", "thehealthierdonut.com", "francacheladesigns.com", "enerav.com", "highsiddityminks.com", "aitelco.net", "prulib.com"]}
Multi AV Scanner detection for submitted file
Source: PaymentAdvice.exe Virustotal: Detection: 32% Perma Link
Source: PaymentAdvice.exe ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: PaymentAdvice.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.PaymentAdvice.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.msiexec.exe.95a558.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.msiexec.exe.4b47960.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.1.PaymentAdvice.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.PaymentAdvice.exe.2680000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: PaymentAdvice.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: msiexec.pdb source: PaymentAdvice.exe, 00000002.00000002.278128222.000000000073A000.00000004.00000020.sdmp
Source: Binary string: msiexec.pdbGCTL source: PaymentAdvice.exe, 00000002.00000002.278128222.000000000073A000.00000004.00000020.sdmp
Source: Binary string: C:\xampp\htdocs\Cryptor\78a9904c70914141b6b07ca4fbdcf1ff\Loader\Loader\Release\u58v4wo87.pdb source: PaymentAdvice.exe, 00000000.00000002.238262176.0000000073CA2000.00000002.00020000.sdmp, ic4muy4.dll.0.dr
Source: Binary string: wntdll.pdbUGP source: PaymentAdvice.exe, 00000000.00000003.229993167.000000001F100000.00000004.00000001.sdmp, PaymentAdvice.exe, 00000002.00000002.278191881.00000000009D0000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.502133269.0000000004610000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: PaymentAdvice.exe, msiexec.exe
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA, 0_2_00405301
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405C94
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_004026BC FindFirstFileA, 0_2_004026BC

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 4x nop then pop ebx 2_2_00406A95
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 4x nop then pop edi 2_2_0040C3CF
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 4x nop then pop edi 2_2_0040C390
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 4x nop then pop edi 2_2_00415681
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 4x nop then pop ebx 2_1_00406A95
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 4x nop then pop edi 2_1_0040C3CF
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 4x nop then pop edi 2_1_0040C390
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop ebx 7_2_00386A95
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop edi 7_2_0038C390
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop edi 7_2_0038C3CF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop edi 7_2_00395681

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 66.96.162.131:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 66.96.162.131:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 66.96.162.131:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 108.167.140.96:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 108.167.140.96:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49733 -> 108.167.140.96:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 52.142.208.184:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 52.142.208.184:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49737 -> 52.142.208.184:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 199.59.242.153:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 199.59.242.153:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 199.59.242.153:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49741 -> 154.90.117.58:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49741 -> 154.90.117.58:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49741 -> 154.90.117.58:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.saturnkorp.net/c22b/
Performs DNS queries to domains with low reputation
Source: DNS query: www.vtz6whu5254xb1.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.abolishlawinforcement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.webinast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.puebloregentseniorliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.brandschutzglas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.hispanicalinguablog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=SZiv1CvNDlpERXMbnn5ZLbcWCJQi367u53ErGxikwJhkUqcV+jft+FDyZI7mP4A7IH+s&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.unmanglement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=zx0k4ABwBL0XDo/z29LcJNBul5/He8j/Xs403vcVS0JFFGbo2Kaumu3jNTCDwIeMd1g7&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.plataformaporelmarcanario.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.dajiangzhibo12.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.saturnkorp.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.sgdivergence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.59.242.153 199.59.242.153
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View ASN Name: WORLD4YOUAT WORLD4YOUAT
Source: C:\Windows\explorer.exe Code function: 3_2_070A7302 getaddrinfo,setsockopt,recv, 3_2_070A7302
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.abolishlawinforcement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.webinast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.puebloregentseniorliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.brandschutzglas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.hispanicalinguablog.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=SZiv1CvNDlpERXMbnn5ZLbcWCJQi367u53ErGxikwJhkUqcV+jft+FDyZI7mP4A7IH+s&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.unmanglement.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=zx0k4ABwBL0XDo/z29LcJNBul5/He8j/Xs403vcVS0JFFGbo2Kaumu3jNTCDwIeMd1g7&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.plataformaporelmarcanario.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.dajiangzhibo12.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.saturnkorp.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m HTTP/1.1Host: www.sgdivergence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.abolishlawinforcement.com
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.264957707.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404EA0
Creates a DirectInput object (often for capturing keystrokes)
Source: PaymentAdvice.exe, 00000000.00000002.237618535.0000000000A9A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Executable has a suspicious name (potential lure to open the executable)
Source: PaymentAdvice.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PaymentAdvice.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_004181B0 NtCreateFile, 2_2_004181B0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00418260 NtReadFile, 2_2_00418260
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_004182E0 NtClose, 2_2_004182E0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00418390 NtAllocateVirtualMemory, 2_2_00418390
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_004181AB NtCreateFile, 2_2_004181AB
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00418202 NtReadFile, 2_2_00418202
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_004182DA NtClose, 2_2_004182DA
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041838A NtAllocateVirtualMemory, 2_2_0041838A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A398F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_00A398F0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_00A39860
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39840 NtDelayExecution,LdrInitializeThunk, 2_2_00A39840
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A399A0 NtCreateSection,LdrInitializeThunk, 2_2_00A399A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_00A39910
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39A20 NtResumeThread,LdrInitializeThunk, 2_2_00A39A20
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_00A39A00
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39A50 NtCreateFile,LdrInitializeThunk, 2_2_00A39A50
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A395D0 NtClose,LdrInitializeThunk, 2_2_00A395D0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39540 NtReadFile,LdrInitializeThunk, 2_2_00A39540
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A396E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_00A396E0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_00A39660
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A397A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_00A397A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39780 NtMapViewOfSection,LdrInitializeThunk, 2_2_00A39780
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39FE0 NtCreateMutant,LdrInitializeThunk, 2_2_00A39FE0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39710 NtQueryInformationToken,LdrInitializeThunk, 2_2_00A39710
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A398A0 NtWriteVirtualMemory, 2_2_00A398A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39820 NtEnumerateKey, 2_2_00A39820
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A3B040 NtSuspendThread, 2_2_00A3B040
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A399D0 NtCreateProcessEx, 2_2_00A399D0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39950 NtQueueApcThread, 2_2_00A39950
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39A80 NtOpenDirectoryObject, 2_2_00A39A80
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39A10 NtQuerySection, 2_2_00A39A10
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A3A3B0 NtGetContextThread, 2_2_00A3A3B0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39B00 NtSetValueKey, 2_2_00A39B00
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A395F0 NtQueryInformationFile, 2_2_00A395F0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39520 NtWaitForSingleObject, 2_2_00A39520
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A3AD30 NtSetContextThread, 2_2_00A3AD30
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39560 NtWriteFile, 2_2_00A39560
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A396D0 NtCreateKey, 2_2_00A396D0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39610 NtEnumerateValueKey, 2_2_00A39610
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39670 NtQueryInformationProcess, 2_2_00A39670
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39650 NtQueryValueKey, 2_2_00A39650
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39730 NtQueryVirtualMemory, 2_2_00A39730
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A3A710 NtOpenProcessToken, 2_2_00A3A710
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39760 NtOpenProcess, 2_2_00A39760
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A39770 NtSetInformationFile, 2_2_00A39770
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A3A770 NtOpenThread, 2_2_00A3A770
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_004181B0 NtCreateFile, 2_1_004181B0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_00418260 NtReadFile, 2_1_00418260
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_004182E0 NtClose, 2_1_004182E0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_00418390 NtAllocateVirtualMemory, 2_1_00418390
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_004181AB NtCreateFile, 2_1_004181AB
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_00418202 NtReadFile, 2_1_00418202
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_004182DA NtClose, 2_1_004182DA
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041838A NtAllocateVirtualMemory, 2_1_0041838A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679540 NtReadFile,LdrInitializeThunk, 7_2_04679540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046795D0 NtClose,LdrInitializeThunk, 7_2_046795D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679660 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_04679660
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679650 NtQueryValueKey,LdrInitializeThunk, 7_2_04679650
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046796E0 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_046796E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046796D0 NtCreateKey,LdrInitializeThunk, 7_2_046796D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679710 NtQueryInformationToken,LdrInitializeThunk, 7_2_04679710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679FE0 NtCreateMutant,LdrInitializeThunk, 7_2_04679FE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679780 NtMapViewOfSection,LdrInitializeThunk, 7_2_04679780
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679860 NtQuerySystemInformation,LdrInitializeThunk, 7_2_04679860
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679840 NtDelayExecution,LdrInitializeThunk, 7_2_04679840
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679910 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_04679910
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046799A0 NtCreateSection,LdrInitializeThunk, 7_2_046799A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679A50 NtCreateFile,LdrInitializeThunk, 7_2_04679A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679560 NtWriteFile, 7_2_04679560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679520 NtWaitForSingleObject, 7_2_04679520
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0467AD30 NtSetContextThread, 7_2_0467AD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046795F0 NtQueryInformationFile, 7_2_046795F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679670 NtQueryInformationProcess, 7_2_04679670
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679610 NtEnumerateValueKey, 7_2_04679610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679760 NtOpenProcess, 7_2_04679760
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0467A770 NtOpenThread, 7_2_0467A770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679770 NtSetInformationFile, 7_2_04679770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679730 NtQueryVirtualMemory, 7_2_04679730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0467A710 NtOpenProcessToken, 7_2_0467A710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046797A0 NtUnmapViewOfSection, 7_2_046797A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0467B040 NtSuspendThread, 7_2_0467B040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679820 NtEnumerateKey, 7_2_04679820
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046798F0 NtReadVirtualMemory, 7_2_046798F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046798A0 NtWriteVirtualMemory, 7_2_046798A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679950 NtQueueApcThread, 7_2_04679950
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046799D0 NtCreateProcessEx, 7_2_046799D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679A20 NtResumeThread, 7_2_04679A20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679A00 NtProtectVirtualMemory, 7_2_04679A00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679A10 NtQuerySection, 7_2_04679A10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679A80 NtOpenDirectoryObject, 7_2_04679A80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04679B00 NtSetValueKey, 7_2_04679B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0467A3B0 NtGetContextThread, 7_2_0467A3B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_003981B0 NtCreateFile, 7_2_003981B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00398260 NtReadFile, 7_2_00398260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_003982E0 NtClose, 7_2_003982E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00398390 NtAllocateVirtualMemory, 7_2_00398390
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_003981AB NtCreateFile, 7_2_003981AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00398202 NtReadFile, 7_2_00398202
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_003982DA NtClose, 7_2_003982DA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0039838A NtAllocateVirtualMemory, 7_2_0039838A
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040314A
Detected potential crypto function
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_004046A7 0_2_004046A7
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041C006 2_2_0041C006
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00408C4B 2_2_00408C4B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00408C50 2_2_00408C50
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041B7A2 2_2_0041B7A2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A220A0 2_2_00A220A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC20A8 2_2_00AC20A8
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0B090 2_2_00A0B090
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC28EC 2_2_00AC28EC
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ACE824 2_2_00ACE824
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1002 2_2_00AB1002
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A14120 2_2_00A14120
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FF900 2_2_009FF900
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC22AE 2_2_00AC22AE
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2EBB0 2_2_00A2EBB0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABDBD2 2_2_00ABDBD2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC2B28 2_2_00AC2B28
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0841F 2_2_00A0841F
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABD466 2_2_00ABD466
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A22581 2_2_00A22581
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0D5E0 2_2_00A0D5E0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC25DD 2_2_00AC25DD
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC2D07 2_2_00AC2D07
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F0D20 2_2_009F0D20
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC1D55 2_2_00AC1D55
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC2EF7 2_2_00AC2EF7
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A16E30 2_2_00A16E30
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABD616 2_2_00ABD616
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC1FF1 2_2_00AC1FF1
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041C006 2_1_0041C006
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_00401030 2_1_00401030
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_00408C4B 2_1_00408C4B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_00408C50 2_1_00408C50
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_00402D90 2_1_00402D90
Source: C:\Windows\explorer.exe Code function: 3_2_070A2302 3_2_070A2302
Source: C:\Windows\explorer.exe Code function: 3_2_0709F902 3_2_0709F902
Source: C:\Windows\explorer.exe Code function: 3_2_070A0362 3_2_070A0362
Source: C:\Windows\explorer.exe Code function: 3_2_070A65B2 3_2_070A65B2
Source: C:\Windows\explorer.exe Code function: 3_2_070A57C7 3_2_070A57C7
Source: C:\Windows\explorer.exe Code function: 3_2_070A4062 3_2_070A4062
Source: C:\Windows\explorer.exe Code function: 3_2_0709F8F9 3_2_0709F8F9
Source: C:\Windows\explorer.exe Code function: 3_2_070A22FF 3_2_070A22FF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FD466 7_2_046FD466
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464841F 7_2_0464841F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04701D55 7_2_04701D55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04630D20 7_2_04630D20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04702D07 7_2_04702D07
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464D5E0 7_2_0464D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047025DD 7_2_047025DD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04662581 7_2_04662581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04656E30 7_2_04656E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FD616 7_2_046FD616
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04702EF7 7_2_04702EF7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04701FF1 7_2_04701FF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1002 7_2_046F1002
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047028EC 7_2_047028EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046620A0 7_2_046620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047020A8 7_2_047020A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464B090 7_2_0464B090
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04654120 7_2_04654120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463F900 7_2_0463F900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047022AE 7_2_047022AE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04702B28 7_2_04702B28
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FDBD2 7_2_046FDBD2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466EBB0 7_2_0466EBB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00388C50 7_2_00388C50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00388C4B 7_2_00388C4B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00382D90 7_2_00382D90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00382FB0 7_2_00382FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 0463B150 appears 35 times
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: String function: 009FB150 appears 35 times
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: String function: 00419F60 appears 38 times
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: String function: 0041A090 appears 38 times
PE file contains strange resources
Source: PaymentAdvice.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PaymentAdvice.exe, 00000000.00000003.233898045.000000001F21F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PaymentAdvice.exe
Source: PaymentAdvice.exe, 00000002.00000002.278186633.000000000096F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemsiexec.exeX vs PaymentAdvice.exe
Source: PaymentAdvice.exe, 00000002.00000002.278485977.0000000000C7F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PaymentAdvice.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: PaymentAdvice.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/3@13/10
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004041E5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar, 0_2_004020A6
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:844:120:WilError_01
Source: C:\Users\user\Desktop\PaymentAdvice.exe File created: C:\Users\user\AppData\Local\Temp\nsj41C3.tmp Jump to behavior
Source: PaymentAdvice.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PaymentAdvice.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PaymentAdvice.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PaymentAdvice.exe Virustotal: Detection: 32%
Source: PaymentAdvice.exe ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\PaymentAdvice.exe File read: C:\Users\user\Desktop\PaymentAdvice.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PaymentAdvice.exe 'C:\Users\user\Desktop\PaymentAdvice.exe'
Source: C:\Users\user\Desktop\PaymentAdvice.exe Process created: C:\Users\user\Desktop\PaymentAdvice.exe 'C:\Users\user\Desktop\PaymentAdvice.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PaymentAdvice.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PaymentAdvice.exe Process created: C:\Users\user\Desktop\PaymentAdvice.exe 'C:\Users\user\Desktop\PaymentAdvice.exe' Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PaymentAdvice.exe' Jump to behavior
Source: C:\Users\user\Desktop\PaymentAdvice.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: msiexec.pdb source: PaymentAdvice.exe, 00000002.00000002.278128222.000000000073A000.00000004.00000020.sdmp
Source: Binary string: msiexec.pdbGCTL source: PaymentAdvice.exe, 00000002.00000002.278128222.000000000073A000.00000004.00000020.sdmp
Source: Binary string: C:\xampp\htdocs\Cryptor\78a9904c70914141b6b07ca4fbdcf1ff\Loader\Loader\Release\u58v4wo87.pdb source: PaymentAdvice.exe, 00000000.00000002.238262176.0000000073CA2000.00000002.00020000.sdmp, ic4muy4.dll.0.dr
Source: Binary string: wntdll.pdbUGP source: PaymentAdvice.exe, 00000000.00000003.229993167.000000001F100000.00000004.00000001.sdmp, PaymentAdvice.exe, 00000002.00000002.278191881.00000000009D0000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.502133269.0000000004610000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: PaymentAdvice.exe, msiexec.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\PaymentAdvice.exe Unpacked PE file: 2.2.PaymentAdvice.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode, 0_2_00401FDC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041D047 push esp; ret 2_2_0041CC3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041C9DA push cs; ret 2_2_0041C9E1
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00415326 push esi; iretd 2_2_0041532E
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041B3F2 push eax; ret 2_2_0041B3F8
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041B3FB push eax; ret 2_2_0041B462
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041B3A5 push eax; ret 2_2_0041B3F8
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041CBB8 push esp; ret 2_2_0041CC3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041B45C push eax; ret 2_2_0041B462
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041CC3C push esp; ret 2_2_0041CC3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041C4C5 push ss; ret 2_2_0041C4C7
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041CCCB push esp; ret 2_2_0041CC3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041CD5D push esp; ret 2_2_0041CC3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_0041CF9B push esp; ret 2_2_0041CC3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A4D0D1 push ecx; ret 2_2_00A4D0E4
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041D047 push esp; ret 2_1_0041CC3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041C9DA push cs; ret 2_1_0041C9E1
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_00415326 push esi; iretd 2_1_0041532E
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041B3F2 push eax; ret 2_1_0041B3F8
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041B3FB push eax; ret 2_1_0041B462
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041B3A5 push eax; ret 2_1_0041B3F8
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041CBB8 push esp; ret 2_1_0041CC3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041B45C push eax; ret 2_1_0041B462
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041CC3C push esp; ret 2_1_0041CC3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041C4C5 push ss; ret 2_1_0041C4C7
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041CCCB push esp; ret 2_1_0041CC3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_1_0041CD5D push esp; ret 2_1_0041CC3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0468D0D1 push ecx; ret 7_2_0468D0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0039D047 push esp; ret 7_2_0039CC3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0039C9DA push cs; ret 7_2_0039C9E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_00395326 push esi; iretd 7_2_0039532E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0039CBB8 push esp; ret 7_2_0039CC3B

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PaymentAdvice.exe File created: C:\Users\user\AppData\Local\Temp\nse41F3.tmp\ic4muy4.dll Jump to dropped file
Source: C:\Users\user\Desktop\PaymentAdvice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PaymentAdvice.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PaymentAdvice.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PaymentAdvice.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe RDTSC instruction interceptor: First address: 00000000003885E4 second address: 00000000003885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe RDTSC instruction interceptor: First address: 000000000038896E second address: 0000000000388974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PaymentAdvice.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_004088A0 rdtsc 2_2_004088A0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6536 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6392 Thread sleep time: -48000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA, 0_2_00405301
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405C94
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_004026BC FindFirstFileA, 0_2_004026BC
Source: explorer.exe, 00000003.00000000.264236200.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000000.263844021.0000000008270000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.264236200.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.506521767.0000000003767000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.254877403.00000000053A0000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: explorer.exe, 00000003.00000002.512492029.00000000053BD000.00000004.00000001.sdmp Binary or memory string: @%SystemRoot%\System32\mswsock.dll,-60101-9%SystemRoot%\system32\mswsock.dlle6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&
Source: explorer.exe, 00000003.00000002.496017525.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000003.00000000.264288916.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000000.263844021.0000000008270000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000002.512526929.00000000053D7000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.263844021.0000000008270000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.264288916.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000003.00000000.263844021.0000000008270000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PaymentAdvice.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PaymentAdvice.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_004088A0 rdtsc 2_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00409B10 LdrLoadDll, 2_2_00409B10
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_73CA1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,GetMessageA,CreateFileW,GetFileSize,VirtualAlloc,ReadFile, 0_2_73CA1000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode, 0_2_00401FDC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_02671664 mov eax, dword ptr fs:[00000030h] 0_2_02671664
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_0267187C mov eax, dword ptr fs:[00000030h] 0_2_0267187C
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h] 2_2_00A220A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h] 2_2_00A220A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h] 2_2_00A220A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h] 2_2_00A220A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h] 2_2_00A220A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A220A0 mov eax, dword ptr fs:[00000030h] 2_2_00A220A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A390AF mov eax, dword ptr fs:[00000030h] 2_2_00A390AF
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2F0BF mov ecx, dword ptr fs:[00000030h] 2_2_00A2F0BF
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2F0BF mov eax, dword ptr fs:[00000030h] 2_2_00A2F0BF
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2F0BF mov eax, dword ptr fs:[00000030h] 2_2_00A2F0BF
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F9080 mov eax, dword ptr fs:[00000030h] 2_2_009F9080
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A73884 mov eax, dword ptr fs:[00000030h] 2_2_00A73884
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A73884 mov eax, dword ptr fs:[00000030h] 2_2_00A73884
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F58EC mov eax, dword ptr fs:[00000030h] 2_2_009F58EC
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A8B8D0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_00A8B8D0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A8B8D0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A8B8D0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A8B8D0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A8B8D0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0B02A mov eax, dword ptr fs:[00000030h] 2_2_00A0B02A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0B02A mov eax, dword ptr fs:[00000030h] 2_2_00A0B02A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0B02A mov eax, dword ptr fs:[00000030h] 2_2_00A0B02A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0B02A mov eax, dword ptr fs:[00000030h] 2_2_00A0B02A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2002D mov eax, dword ptr fs:[00000030h] 2_2_00A2002D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2002D mov eax, dword ptr fs:[00000030h] 2_2_00A2002D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2002D mov eax, dword ptr fs:[00000030h] 2_2_00A2002D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2002D mov eax, dword ptr fs:[00000030h] 2_2_00A2002D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2002D mov eax, dword ptr fs:[00000030h] 2_2_00A2002D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A77016 mov eax, dword ptr fs:[00000030h] 2_2_00A77016
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A77016 mov eax, dword ptr fs:[00000030h] 2_2_00A77016
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A77016 mov eax, dword ptr fs:[00000030h] 2_2_00A77016
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC4015 mov eax, dword ptr fs:[00000030h] 2_2_00AC4015
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC4015 mov eax, dword ptr fs:[00000030h] 2_2_00AC4015
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB2073 mov eax, dword ptr fs:[00000030h] 2_2_00AB2073
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC1074 mov eax, dword ptr fs:[00000030h] 2_2_00AC1074
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A10050 mov eax, dword ptr fs:[00000030h] 2_2_00A10050
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A10050 mov eax, dword ptr fs:[00000030h] 2_2_00A10050
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A769A6 mov eax, dword ptr fs:[00000030h] 2_2_00A769A6
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A261A0 mov eax, dword ptr fs:[00000030h] 2_2_00A261A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A261A0 mov eax, dword ptr fs:[00000030h] 2_2_00A261A0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A751BE mov eax, dword ptr fs:[00000030h] 2_2_00A751BE
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A751BE mov eax, dword ptr fs:[00000030h] 2_2_00A751BE
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A751BE mov eax, dword ptr fs:[00000030h] 2_2_00A751BE
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A751BE mov eax, dword ptr fs:[00000030h] 2_2_00A751BE
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1C182 mov eax, dword ptr fs:[00000030h] 2_2_00A1C182
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2A185 mov eax, dword ptr fs:[00000030h] 2_2_00A2A185
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A22990 mov eax, dword ptr fs:[00000030h] 2_2_00A22990
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A841E8 mov eax, dword ptr fs:[00000030h] 2_2_00A841E8
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FB1E1 mov eax, dword ptr fs:[00000030h] 2_2_009FB1E1
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FB1E1 mov eax, dword ptr fs:[00000030h] 2_2_009FB1E1
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FB1E1 mov eax, dword ptr fs:[00000030h] 2_2_009FB1E1
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A14120 mov eax, dword ptr fs:[00000030h] 2_2_00A14120
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A14120 mov eax, dword ptr fs:[00000030h] 2_2_00A14120
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A14120 mov eax, dword ptr fs:[00000030h] 2_2_00A14120
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A14120 mov eax, dword ptr fs:[00000030h] 2_2_00A14120
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A14120 mov ecx, dword ptr fs:[00000030h] 2_2_00A14120
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2513A mov eax, dword ptr fs:[00000030h] 2_2_00A2513A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2513A mov eax, dword ptr fs:[00000030h] 2_2_00A2513A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F9100 mov eax, dword ptr fs:[00000030h] 2_2_009F9100
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F9100 mov eax, dword ptr fs:[00000030h] 2_2_009F9100
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F9100 mov eax, dword ptr fs:[00000030h] 2_2_009F9100
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1B944 mov eax, dword ptr fs:[00000030h] 2_2_00A1B944
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1B944 mov eax, dword ptr fs:[00000030h] 2_2_00A1B944
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FB171 mov eax, dword ptr fs:[00000030h] 2_2_009FB171
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FB171 mov eax, dword ptr fs:[00000030h] 2_2_009FB171
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FC962 mov eax, dword ptr fs:[00000030h] 2_2_009FC962
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0AAB0 mov eax, dword ptr fs:[00000030h] 2_2_00A0AAB0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0AAB0 mov eax, dword ptr fs:[00000030h] 2_2_00A0AAB0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2FAB0 mov eax, dword ptr fs:[00000030h] 2_2_00A2FAB0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2D294 mov eax, dword ptr fs:[00000030h] 2_2_00A2D294
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2D294 mov eax, dword ptr fs:[00000030h] 2_2_00A2D294
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F52A5 mov eax, dword ptr fs:[00000030h] 2_2_009F52A5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F52A5 mov eax, dword ptr fs:[00000030h] 2_2_009F52A5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F52A5 mov eax, dword ptr fs:[00000030h] 2_2_009F52A5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F52A5 mov eax, dword ptr fs:[00000030h] 2_2_009F52A5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F52A5 mov eax, dword ptr fs:[00000030h] 2_2_009F52A5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A22AE4 mov eax, dword ptr fs:[00000030h] 2_2_00A22AE4
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A22ACB mov eax, dword ptr fs:[00000030h] 2_2_00A22ACB
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FAA16 mov eax, dword ptr fs:[00000030h] 2_2_009FAA16
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FAA16 mov eax, dword ptr fs:[00000030h] 2_2_009FAA16
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A34A2C mov eax, dword ptr fs:[00000030h] 2_2_00A34A2C
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A34A2C mov eax, dword ptr fs:[00000030h] 2_2_00A34A2C
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F5210 mov eax, dword ptr fs:[00000030h] 2_2_009F5210
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F5210 mov ecx, dword ptr fs:[00000030h] 2_2_009F5210
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F5210 mov eax, dword ptr fs:[00000030h] 2_2_009F5210
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F5210 mov eax, dword ptr fs:[00000030h] 2_2_009F5210
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A08A0A mov eax, dword ptr fs:[00000030h] 2_2_00A08A0A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A13A1C mov eax, dword ptr fs:[00000030h] 2_2_00A13A1C
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 2_2_00ABAA16
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 2_2_00ABAA16
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AAB260 mov eax, dword ptr fs:[00000030h] 2_2_00AAB260
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AAB260 mov eax, dword ptr fs:[00000030h] 2_2_00AAB260
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC8A62 mov eax, dword ptr fs:[00000030h] 2_2_00AC8A62
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A3927A mov eax, dword ptr fs:[00000030h] 2_2_00A3927A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F9240 mov eax, dword ptr fs:[00000030h] 2_2_009F9240
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F9240 mov eax, dword ptr fs:[00000030h] 2_2_009F9240
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F9240 mov eax, dword ptr fs:[00000030h] 2_2_009F9240
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F9240 mov eax, dword ptr fs:[00000030h] 2_2_009F9240
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABEA55 mov eax, dword ptr fs:[00000030h] 2_2_00ABEA55
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A84257 mov eax, dword ptr fs:[00000030h] 2_2_00A84257
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC5BA5 mov eax, dword ptr fs:[00000030h] 2_2_00AC5BA5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A24BAD mov eax, dword ptr fs:[00000030h] 2_2_00A24BAD
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A24BAD mov eax, dword ptr fs:[00000030h] 2_2_00A24BAD
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A24BAD mov eax, dword ptr fs:[00000030h] 2_2_00A24BAD
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB138A mov eax, dword ptr fs:[00000030h] 2_2_00AB138A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AAD380 mov ecx, dword ptr fs:[00000030h] 2_2_00AAD380
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A01B8F mov eax, dword ptr fs:[00000030h] 2_2_00A01B8F
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A01B8F mov eax, dword ptr fs:[00000030h] 2_2_00A01B8F
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2B390 mov eax, dword ptr fs:[00000030h] 2_2_00A2B390
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A22397 mov eax, dword ptr fs:[00000030h] 2_2_00A22397
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h] 2_2_00A203E2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h] 2_2_00A203E2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h] 2_2_00A203E2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h] 2_2_00A203E2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h] 2_2_00A203E2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A203E2 mov eax, dword ptr fs:[00000030h] 2_2_00A203E2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1DBE9 mov eax, dword ptr fs:[00000030h] 2_2_00A1DBE9
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A753CA mov eax, dword ptr fs:[00000030h] 2_2_00A753CA
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A753CA mov eax, dword ptr fs:[00000030h] 2_2_00A753CA
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB131B mov eax, dword ptr fs:[00000030h] 2_2_00AB131B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FF358 mov eax, dword ptr fs:[00000030h] 2_2_009FF358
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A23B7A mov eax, dword ptr fs:[00000030h] 2_2_00A23B7A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A23B7A mov eax, dword ptr fs:[00000030h] 2_2_00A23B7A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FDB40 mov eax, dword ptr fs:[00000030h] 2_2_009FDB40
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC8B58 mov eax, dword ptr fs:[00000030h] 2_2_00AC8B58
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FDB60 mov ecx, dword ptr fs:[00000030h] 2_2_009FDB60
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0849B mov eax, dword ptr fs:[00000030h] 2_2_00A0849B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB14FB mov eax, dword ptr fs:[00000030h] 2_2_00AB14FB
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76CF0 mov eax, dword ptr fs:[00000030h] 2_2_00A76CF0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76CF0 mov eax, dword ptr fs:[00000030h] 2_2_00A76CF0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76CF0 mov eax, dword ptr fs:[00000030h] 2_2_00A76CF0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC8CD6 mov eax, dword ptr fs:[00000030h] 2_2_00AC8CD6
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2BC2C mov eax, dword ptr fs:[00000030h] 2_2_00A2BC2C
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC740D mov eax, dword ptr fs:[00000030h] 2_2_00AC740D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC740D mov eax, dword ptr fs:[00000030h] 2_2_00AC740D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC740D mov eax, dword ptr fs:[00000030h] 2_2_00AC740D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 2_2_00AB1C06
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76C0A mov eax, dword ptr fs:[00000030h] 2_2_00A76C0A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76C0A mov eax, dword ptr fs:[00000030h] 2_2_00A76C0A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76C0A mov eax, dword ptr fs:[00000030h] 2_2_00A76C0A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76C0A mov eax, dword ptr fs:[00000030h] 2_2_00A76C0A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1746D mov eax, dword ptr fs:[00000030h] 2_2_00A1746D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2A44B mov eax, dword ptr fs:[00000030h] 2_2_00A2A44B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8C450 mov eax, dword ptr fs:[00000030h] 2_2_00A8C450
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8C450 mov eax, dword ptr fs:[00000030h] 2_2_00A8C450
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC05AC mov eax, dword ptr fs:[00000030h] 2_2_00AC05AC
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC05AC mov eax, dword ptr fs:[00000030h] 2_2_00AC05AC
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A235A1 mov eax, dword ptr fs:[00000030h] 2_2_00A235A1
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F2D8A mov eax, dword ptr fs:[00000030h] 2_2_009F2D8A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F2D8A mov eax, dword ptr fs:[00000030h] 2_2_009F2D8A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F2D8A mov eax, dword ptr fs:[00000030h] 2_2_009F2D8A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F2D8A mov eax, dword ptr fs:[00000030h] 2_2_009F2D8A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F2D8A mov eax, dword ptr fs:[00000030h] 2_2_009F2D8A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A21DB5 mov eax, dword ptr fs:[00000030h] 2_2_00A21DB5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A21DB5 mov eax, dword ptr fs:[00000030h] 2_2_00A21DB5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A21DB5 mov eax, dword ptr fs:[00000030h] 2_2_00A21DB5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A22581 mov eax, dword ptr fs:[00000030h] 2_2_00A22581
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A22581 mov eax, dword ptr fs:[00000030h] 2_2_00A22581
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A22581 mov eax, dword ptr fs:[00000030h] 2_2_00A22581
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A22581 mov eax, dword ptr fs:[00000030h] 2_2_00A22581
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2FD9B mov eax, dword ptr fs:[00000030h] 2_2_00A2FD9B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2FD9B mov eax, dword ptr fs:[00000030h] 2_2_00A2FD9B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0D5E0 mov eax, dword ptr fs:[00000030h] 2_2_00A0D5E0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0D5E0 mov eax, dword ptr fs:[00000030h] 2_2_00A0D5E0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00ABFDE2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00ABFDE2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00ABFDE2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABFDE2 mov eax, dword ptr fs:[00000030h] 2_2_00ABFDE2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AA8DF1 mov eax, dword ptr fs:[00000030h] 2_2_00AA8DF1
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76DC9 mov eax, dword ptr fs:[00000030h] 2_2_00A76DC9
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76DC9 mov eax, dword ptr fs:[00000030h] 2_2_00A76DC9
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76DC9 mov eax, dword ptr fs:[00000030h] 2_2_00A76DC9
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76DC9 mov ecx, dword ptr fs:[00000030h] 2_2_00A76DC9
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76DC9 mov eax, dword ptr fs:[00000030h] 2_2_00A76DC9
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A76DC9 mov eax, dword ptr fs:[00000030h] 2_2_00A76DC9
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A7A537 mov eax, dword ptr fs:[00000030h] 2_2_00A7A537
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABE539 mov eax, dword ptr fs:[00000030h] 2_2_00ABE539
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A03D34 mov eax, dword ptr fs:[00000030h] 2_2_00A03D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC8D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC8D34
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A24D3B mov eax, dword ptr fs:[00000030h] 2_2_00A24D3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A24D3B mov eax, dword ptr fs:[00000030h] 2_2_00A24D3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A24D3B mov eax, dword ptr fs:[00000030h] 2_2_00A24D3B
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FAD30 mov eax, dword ptr fs:[00000030h] 2_2_009FAD30
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1C577 mov eax, dword ptr fs:[00000030h] 2_2_00A1C577
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1C577 mov eax, dword ptr fs:[00000030h] 2_2_00A1C577
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A33D43 mov eax, dword ptr fs:[00000030h] 2_2_00A33D43
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A73540 mov eax, dword ptr fs:[00000030h] 2_2_00A73540
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A17D50 mov eax, dword ptr fs:[00000030h] 2_2_00A17D50
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A746A7 mov eax, dword ptr fs:[00000030h] 2_2_00A746A7
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00AC0EA5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00AC0EA5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC0EA5 mov eax, dword ptr fs:[00000030h] 2_2_00AC0EA5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8FE87 mov eax, dword ptr fs:[00000030h] 2_2_00A8FE87
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A216E0 mov ecx, dword ptr fs:[00000030h] 2_2_00A216E0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A076E2 mov eax, dword ptr fs:[00000030h] 2_2_00A076E2
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A38EC7 mov eax, dword ptr fs:[00000030h] 2_2_00A38EC7
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AAFEC0 mov eax, dword ptr fs:[00000030h] 2_2_00AAFEC0
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A236CC mov eax, dword ptr fs:[00000030h] 2_2_00A236CC
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC8ED6 mov eax, dword ptr fs:[00000030h] 2_2_00AC8ED6
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AAFE3F mov eax, dword ptr fs:[00000030h] 2_2_00AAFE3F
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FC600 mov eax, dword ptr fs:[00000030h] 2_2_009FC600
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FC600 mov eax, dword ptr fs:[00000030h] 2_2_009FC600
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FC600 mov eax, dword ptr fs:[00000030h] 2_2_009FC600
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A28E00 mov eax, dword ptr fs:[00000030h] 2_2_00A28E00
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AB1608 mov eax, dword ptr fs:[00000030h] 2_2_00AB1608
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2A61C mov eax, dword ptr fs:[00000030h] 2_2_00A2A61C
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2A61C mov eax, dword ptr fs:[00000030h] 2_2_00A2A61C
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009FE620 mov eax, dword ptr fs:[00000030h] 2_2_009FE620
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0766D mov eax, dword ptr fs:[00000030h] 2_2_00A0766D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 2_2_00A1AE73
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 2_2_00A1AE73
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 2_2_00A1AE73
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 2_2_00A1AE73
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 2_2_00A1AE73
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h] 2_2_00A07E41
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h] 2_2_00A07E41
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h] 2_2_00A07E41
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h] 2_2_00A07E41
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h] 2_2_00A07E41
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A07E41 mov eax, dword ptr fs:[00000030h] 2_2_00A07E41
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABAE44 mov eax, dword ptr fs:[00000030h] 2_2_00ABAE44
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00ABAE44 mov eax, dword ptr fs:[00000030h] 2_2_00ABAE44
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A77794 mov eax, dword ptr fs:[00000030h] 2_2_00A77794
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A77794 mov eax, dword ptr fs:[00000030h] 2_2_00A77794
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A77794 mov eax, dword ptr fs:[00000030h] 2_2_00A77794
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A08794 mov eax, dword ptr fs:[00000030h] 2_2_00A08794
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A337F5 mov eax, dword ptr fs:[00000030h] 2_2_00A337F5
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2E730 mov eax, dword ptr fs:[00000030h] 2_2_00A2E730
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC070D mov eax, dword ptr fs:[00000030h] 2_2_00AC070D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC070D mov eax, dword ptr fs:[00000030h] 2_2_00AC070D
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2A70E mov eax, dword ptr fs:[00000030h] 2_2_00A2A70E
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A2A70E mov eax, dword ptr fs:[00000030h] 2_2_00A2A70E
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F4F2E mov eax, dword ptr fs:[00000030h] 2_2_009F4F2E
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_009F4F2E mov eax, dword ptr fs:[00000030h] 2_2_009F4F2E
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A1F716 mov eax, dword ptr fs:[00000030h] 2_2_00A1F716
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8FF10 mov eax, dword ptr fs:[00000030h] 2_2_00A8FF10
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A8FF10 mov eax, dword ptr fs:[00000030h] 2_2_00A8FF10
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0FF60 mov eax, dword ptr fs:[00000030h] 2_2_00A0FF60
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00AC8F6A mov eax, dword ptr fs:[00000030h] 2_2_00AC8F6A
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 2_2_00A0EF40 mov eax, dword ptr fs:[00000030h] 2_2_00A0EF40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465746D mov eax, dword ptr fs:[00000030h] 7_2_0465746D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466A44B mov eax, dword ptr fs:[00000030h] 7_2_0466A44B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CC450 mov eax, dword ptr fs:[00000030h] 7_2_046CC450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CC450 mov eax, dword ptr fs:[00000030h] 7_2_046CC450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466BC2C mov eax, dword ptr fs:[00000030h] 7_2_0466BC2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6C0A mov eax, dword ptr fs:[00000030h] 7_2_046B6C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6C0A mov eax, dword ptr fs:[00000030h] 7_2_046B6C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6C0A mov eax, dword ptr fs:[00000030h] 7_2_046B6C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6C0A mov eax, dword ptr fs:[00000030h] 7_2_046B6C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1C06 mov eax, dword ptr fs:[00000030h] 7_2_046F1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0470740D mov eax, dword ptr fs:[00000030h] 7_2_0470740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0470740D mov eax, dword ptr fs:[00000030h] 7_2_0470740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0470740D mov eax, dword ptr fs:[00000030h] 7_2_0470740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F14FB mov eax, dword ptr fs:[00000030h] 7_2_046F14FB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6CF0 mov eax, dword ptr fs:[00000030h] 7_2_046B6CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6CF0 mov eax, dword ptr fs:[00000030h] 7_2_046B6CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6CF0 mov eax, dword ptr fs:[00000030h] 7_2_046B6CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04708CD6 mov eax, dword ptr fs:[00000030h] 7_2_04708CD6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464849B mov eax, dword ptr fs:[00000030h] 7_2_0464849B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465C577 mov eax, dword ptr fs:[00000030h] 7_2_0465C577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465C577 mov eax, dword ptr fs:[00000030h] 7_2_0465C577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04673D43 mov eax, dword ptr fs:[00000030h] 7_2_04673D43
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3540 mov eax, dword ptr fs:[00000030h] 7_2_046B3540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04657D50 mov eax, dword ptr fs:[00000030h] 7_2_04657D50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04708D34 mov eax, dword ptr fs:[00000030h] 7_2_04708D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04643D34 mov eax, dword ptr fs:[00000030h] 7_2_04643D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463AD30 mov eax, dword ptr fs:[00000030h] 7_2_0463AD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FE539 mov eax, dword ptr fs:[00000030h] 7_2_046FE539
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046BA537 mov eax, dword ptr fs:[00000030h] 7_2_046BA537
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04664D3B mov eax, dword ptr fs:[00000030h] 7_2_04664D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04664D3B mov eax, dword ptr fs:[00000030h] 7_2_04664D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04664D3B mov eax, dword ptr fs:[00000030h] 7_2_04664D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464D5E0 mov eax, dword ptr fs:[00000030h] 7_2_0464D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464D5E0 mov eax, dword ptr fs:[00000030h] 7_2_0464D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FFDE2 mov eax, dword ptr fs:[00000030h] 7_2_046FFDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FFDE2 mov eax, dword ptr fs:[00000030h] 7_2_046FFDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FFDE2 mov eax, dword ptr fs:[00000030h] 7_2_046FFDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FFDE2 mov eax, dword ptr fs:[00000030h] 7_2_046FFDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046E8DF1 mov eax, dword ptr fs:[00000030h] 7_2_046E8DF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6DC9 mov eax, dword ptr fs:[00000030h] 7_2_046B6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6DC9 mov eax, dword ptr fs:[00000030h] 7_2_046B6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6DC9 mov eax, dword ptr fs:[00000030h] 7_2_046B6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6DC9 mov ecx, dword ptr fs:[00000030h] 7_2_046B6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6DC9 mov eax, dword ptr fs:[00000030h] 7_2_046B6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B6DC9 mov eax, dword ptr fs:[00000030h] 7_2_046B6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046635A1 mov eax, dword ptr fs:[00000030h] 7_2_046635A1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04661DB5 mov eax, dword ptr fs:[00000030h] 7_2_04661DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04661DB5 mov eax, dword ptr fs:[00000030h] 7_2_04661DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04661DB5 mov eax, dword ptr fs:[00000030h] 7_2_04661DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047005AC mov eax, dword ptr fs:[00000030h] 7_2_047005AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_047005AC mov eax, dword ptr fs:[00000030h] 7_2_047005AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04662581 mov eax, dword ptr fs:[00000030h] 7_2_04662581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04662581 mov eax, dword ptr fs:[00000030h] 7_2_04662581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04662581 mov eax, dword ptr fs:[00000030h] 7_2_04662581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04662581 mov eax, dword ptr fs:[00000030h] 7_2_04662581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04632D8A mov eax, dword ptr fs:[00000030h] 7_2_04632D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04632D8A mov eax, dword ptr fs:[00000030h] 7_2_04632D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04632D8A mov eax, dword ptr fs:[00000030h] 7_2_04632D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04632D8A mov eax, dword ptr fs:[00000030h] 7_2_04632D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04632D8A mov eax, dword ptr fs:[00000030h] 7_2_04632D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466FD9B mov eax, dword ptr fs:[00000030h] 7_2_0466FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466FD9B mov eax, dword ptr fs:[00000030h] 7_2_0466FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464766D mov eax, dword ptr fs:[00000030h] 7_2_0464766D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465AE73 mov eax, dword ptr fs:[00000030h] 7_2_0465AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465AE73 mov eax, dword ptr fs:[00000030h] 7_2_0465AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465AE73 mov eax, dword ptr fs:[00000030h] 7_2_0465AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465AE73 mov eax, dword ptr fs:[00000030h] 7_2_0465AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465AE73 mov eax, dword ptr fs:[00000030h] 7_2_0465AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h] 7_2_04647E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h] 7_2_04647E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h] 7_2_04647E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h] 7_2_04647E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h] 7_2_04647E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04647E41 mov eax, dword ptr fs:[00000030h] 7_2_04647E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FAE44 mov eax, dword ptr fs:[00000030h] 7_2_046FAE44
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FAE44 mov eax, dword ptr fs:[00000030h] 7_2_046FAE44
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463E620 mov eax, dword ptr fs:[00000030h] 7_2_0463E620
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046EFE3F mov eax, dword ptr fs:[00000030h] 7_2_046EFE3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463C600 mov eax, dword ptr fs:[00000030h] 7_2_0463C600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463C600 mov eax, dword ptr fs:[00000030h] 7_2_0463C600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463C600 mov eax, dword ptr fs:[00000030h] 7_2_0463C600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04668E00 mov eax, dword ptr fs:[00000030h] 7_2_04668E00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F1608 mov eax, dword ptr fs:[00000030h] 7_2_046F1608
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466A61C mov eax, dword ptr fs:[00000030h] 7_2_0466A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466A61C mov eax, dword ptr fs:[00000030h] 7_2_0466A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046616E0 mov ecx, dword ptr fs:[00000030h] 7_2_046616E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046476E2 mov eax, dword ptr fs:[00000030h] 7_2_046476E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04678EC7 mov eax, dword ptr fs:[00000030h] 7_2_04678EC7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04708ED6 mov eax, dword ptr fs:[00000030h] 7_2_04708ED6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046636CC mov eax, dword ptr fs:[00000030h] 7_2_046636CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046EFEC0 mov eax, dword ptr fs:[00000030h] 7_2_046EFEC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B46A7 mov eax, dword ptr fs:[00000030h] 7_2_046B46A7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04700EA5 mov eax, dword ptr fs:[00000030h] 7_2_04700EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04700EA5 mov eax, dword ptr fs:[00000030h] 7_2_04700EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04700EA5 mov eax, dword ptr fs:[00000030h] 7_2_04700EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CFE87 mov eax, dword ptr fs:[00000030h] 7_2_046CFE87
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464FF60 mov eax, dword ptr fs:[00000030h] 7_2_0464FF60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04708F6A mov eax, dword ptr fs:[00000030h] 7_2_04708F6A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464EF40 mov eax, dword ptr fs:[00000030h] 7_2_0464EF40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04634F2E mov eax, dword ptr fs:[00000030h] 7_2_04634F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04634F2E mov eax, dword ptr fs:[00000030h] 7_2_04634F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466E730 mov eax, dword ptr fs:[00000030h] 7_2_0466E730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466A70E mov eax, dword ptr fs:[00000030h] 7_2_0466A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466A70E mov eax, dword ptr fs:[00000030h] 7_2_0466A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465F716 mov eax, dword ptr fs:[00000030h] 7_2_0465F716
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CFF10 mov eax, dword ptr fs:[00000030h] 7_2_046CFF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CFF10 mov eax, dword ptr fs:[00000030h] 7_2_046CFF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0470070D mov eax, dword ptr fs:[00000030h] 7_2_0470070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0470070D mov eax, dword ptr fs:[00000030h] 7_2_0470070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046737F5 mov eax, dword ptr fs:[00000030h] 7_2_046737F5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04648794 mov eax, dword ptr fs:[00000030h] 7_2_04648794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7794 mov eax, dword ptr fs:[00000030h] 7_2_046B7794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7794 mov eax, dword ptr fs:[00000030h] 7_2_046B7794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7794 mov eax, dword ptr fs:[00000030h] 7_2_046B7794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04701074 mov eax, dword ptr fs:[00000030h] 7_2_04701074
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046F2073 mov eax, dword ptr fs:[00000030h] 7_2_046F2073
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04650050 mov eax, dword ptr fs:[00000030h] 7_2_04650050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04650050 mov eax, dword ptr fs:[00000030h] 7_2_04650050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466002D mov eax, dword ptr fs:[00000030h] 7_2_0466002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466002D mov eax, dword ptr fs:[00000030h] 7_2_0466002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466002D mov eax, dword ptr fs:[00000030h] 7_2_0466002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466002D mov eax, dword ptr fs:[00000030h] 7_2_0466002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466002D mov eax, dword ptr fs:[00000030h] 7_2_0466002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464B02A mov eax, dword ptr fs:[00000030h] 7_2_0464B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464B02A mov eax, dword ptr fs:[00000030h] 7_2_0464B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464B02A mov eax, dword ptr fs:[00000030h] 7_2_0464B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0464B02A mov eax, dword ptr fs:[00000030h] 7_2_0464B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04704015 mov eax, dword ptr fs:[00000030h] 7_2_04704015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04704015 mov eax, dword ptr fs:[00000030h] 7_2_04704015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7016 mov eax, dword ptr fs:[00000030h] 7_2_046B7016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7016 mov eax, dword ptr fs:[00000030h] 7_2_046B7016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B7016 mov eax, dword ptr fs:[00000030h] 7_2_046B7016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046358EC mov eax, dword ptr fs:[00000030h] 7_2_046358EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB8D0 mov eax, dword ptr fs:[00000030h] 7_2_046CB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB8D0 mov ecx, dword ptr fs:[00000030h] 7_2_046CB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB8D0 mov eax, dword ptr fs:[00000030h] 7_2_046CB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB8D0 mov eax, dword ptr fs:[00000030h] 7_2_046CB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB8D0 mov eax, dword ptr fs:[00000030h] 7_2_046CB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046CB8D0 mov eax, dword ptr fs:[00000030h] 7_2_046CB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h] 7_2_046620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h] 7_2_046620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h] 7_2_046620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h] 7_2_046620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h] 7_2_046620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046620A0 mov eax, dword ptr fs:[00000030h] 7_2_046620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046790AF mov eax, dword ptr fs:[00000030h] 7_2_046790AF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466F0BF mov ecx, dword ptr fs:[00000030h] 7_2_0466F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466F0BF mov eax, dword ptr fs:[00000030h] 7_2_0466F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466F0BF mov eax, dword ptr fs:[00000030h] 7_2_0466F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04639080 mov eax, dword ptr fs:[00000030h] 7_2_04639080
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3884 mov eax, dword ptr fs:[00000030h] 7_2_046B3884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B3884 mov eax, dword ptr fs:[00000030h] 7_2_046B3884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463C962 mov eax, dword ptr fs:[00000030h] 7_2_0463C962
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463B171 mov eax, dword ptr fs:[00000030h] 7_2_0463B171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463B171 mov eax, dword ptr fs:[00000030h] 7_2_0463B171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465B944 mov eax, dword ptr fs:[00000030h] 7_2_0465B944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465B944 mov eax, dword ptr fs:[00000030h] 7_2_0465B944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04654120 mov eax, dword ptr fs:[00000030h] 7_2_04654120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04654120 mov eax, dword ptr fs:[00000030h] 7_2_04654120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04654120 mov eax, dword ptr fs:[00000030h] 7_2_04654120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04654120 mov eax, dword ptr fs:[00000030h] 7_2_04654120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04654120 mov ecx, dword ptr fs:[00000030h] 7_2_04654120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466513A mov eax, dword ptr fs:[00000030h] 7_2_0466513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466513A mov eax, dword ptr fs:[00000030h] 7_2_0466513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04639100 mov eax, dword ptr fs:[00000030h] 7_2_04639100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04639100 mov eax, dword ptr fs:[00000030h] 7_2_04639100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04639100 mov eax, dword ptr fs:[00000030h] 7_2_04639100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0463B1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0463B1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0463B1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C41E8 mov eax, dword ptr fs:[00000030h] 7_2_046C41E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046661A0 mov eax, dword ptr fs:[00000030h] 7_2_046661A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046661A0 mov eax, dword ptr fs:[00000030h] 7_2_046661A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B69A6 mov eax, dword ptr fs:[00000030h] 7_2_046B69A6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B51BE mov eax, dword ptr fs:[00000030h] 7_2_046B51BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B51BE mov eax, dword ptr fs:[00000030h] 7_2_046B51BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B51BE mov eax, dword ptr fs:[00000030h] 7_2_046B51BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046B51BE mov eax, dword ptr fs:[00000030h] 7_2_046B51BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0466A185 mov eax, dword ptr fs:[00000030h] 7_2_0466A185
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0465C182 mov eax, dword ptr fs:[00000030h] 7_2_0465C182
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04662990 mov eax, dword ptr fs:[00000030h] 7_2_04662990
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046EB260 mov eax, dword ptr fs:[00000030h] 7_2_046EB260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046EB260 mov eax, dword ptr fs:[00000030h] 7_2_046EB260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04708A62 mov eax, dword ptr fs:[00000030h] 7_2_04708A62
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0467927A mov eax, dword ptr fs:[00000030h] 7_2_0467927A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04639240 mov eax, dword ptr fs:[00000030h] 7_2_04639240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04639240 mov eax, dword ptr fs:[00000030h] 7_2_04639240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04639240 mov eax, dword ptr fs:[00000030h] 7_2_04639240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04639240 mov eax, dword ptr fs:[00000030h] 7_2_04639240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FEA55 mov eax, dword ptr fs:[00000030h] 7_2_046FEA55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046C4257 mov eax, dword ptr fs:[00000030h] 7_2_046C4257
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04674A2C mov eax, dword ptr fs:[00000030h] 7_2_04674A2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04674A2C mov eax, dword ptr fs:[00000030h] 7_2_04674A2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04648A0A mov eax, dword ptr fs:[00000030h] 7_2_04648A0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04635210 mov eax, dword ptr fs:[00000030h] 7_2_04635210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04635210 mov ecx, dword ptr fs:[00000030h] 7_2_04635210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04635210 mov eax, dword ptr fs:[00000030h] 7_2_04635210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04635210 mov eax, dword ptr fs:[00000030h] 7_2_04635210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463AA16 mov eax, dword ptr fs:[00000030h] 7_2_0463AA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_0463AA16 mov eax, dword ptr fs:[00000030h] 7_2_0463AA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04653A1C mov eax, dword ptr fs:[00000030h] 7_2_04653A1C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FAA16 mov eax, dword ptr fs:[00000030h] 7_2_046FAA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046FAA16 mov eax, dword ptr fs:[00000030h] 7_2_046FAA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04662AE4 mov eax, dword ptr fs:[00000030h] 7_2_04662AE4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_04662ACB mov eax, dword ptr fs:[00000030h] 7_2_04662ACB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046352A5 mov eax, dword ptr fs:[00000030h] 7_2_046352A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 7_2_046352A5 mov eax, dword ptr fs:[00000030h] 7_2_046352A5
Enables debug privileges
Source: C:\Users\user\Desktop\PaymentAdvice.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.plataformaporelmarcanario.com
Source: C:\Windows\explorer.exe Domain query: www.unmanglement.com
Source: C:\Windows\explorer.exe Network Connect: 108.167.140.96 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.96.162.131 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.hispanicalinguablog.com
Source: C:\Windows\explorer.exe Network Connect: 199.59.242.153 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.webinast.com
Source: C:\Windows\explorer.exe Network Connect: 35.214.93.182 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.19.159.73 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 52.142.208.184 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.sgdivergence.com
Source: C:\Windows\explorer.exe Network Connect: 75.126.101.233 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.85.234 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.saturnkorp.net
Source: C:\Windows\explorer.exe Domain query: www.puebloregentseniorliving.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.abolishlawinforcement.com
Source: C:\Windows\explorer.exe Domain query: www.dajiangzhibo12.com
Source: C:\Windows\explorer.exe Domain query: www.brandschutzglas.com
Source: C:\Windows\explorer.exe Domain query: www.anchor-little.com
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\Desktop\PaymentAdvice.exe Code function: 0_2_73CA1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,GetMessageA,CreateFileW,GetFileSize,VirtualAlloc,ReadFile, 0_2_73CA1000
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PaymentAdvice.exe Section loaded: unknown target: C:\Users\user\Desktop\PaymentAdvice.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PaymentAdvice.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PaymentAdvice.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PaymentAdvice.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\PaymentAdvice.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 3472 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\PaymentAdvice.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\PaymentAdvice.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: B00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PaymentAdvice.exe Process created: C:\Users\user\Desktop\PaymentAdvice.exe 'C:\Users\user\Desktop\PaymentAdvice.exe' Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PaymentAdvice.exe' Jump to behavior
Source: explorer.exe, 00000003.00000000.264311845.00000000089FF000.00000004.00000001.sdmp, msiexec.exe, 00000007.00000002.501816615.0000000002EB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.246711523.0000000001640000.00000002.00000001.sdmp, msiexec.exe, 00000007.00000002.501816615.0000000002EB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.246711523.0000000001640000.00000002.00000001.sdmp, msiexec.exe, 00000007.00000002.501816615.0000000002EB0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000003.00000000.246528467.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000000.246711523.0000000001640000.00000002.00000001.sdmp, msiexec.exe, 00000007.00000002.501816615.0000000002EB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000000.246711523.0000000001640000.00000002.00000001.sdmp, msiexec.exe, 00000007.00000002.501816615.0000000002EB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000001.233939392.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.493924242.00000000007A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.277986099.00000000006B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.277857898.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.237687688.0000000002680000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.492784662.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.494092321.00000000007D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.278046129.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.PaymentAdvice.exe.2680000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.PaymentAdvice.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.PaymentAdvice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PaymentAdvice.exe.2680000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383926 Sample: PaymentAdvice.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.weatherdekniagara.com 2->31 33 www.vtz6whu5254xb1.xyz 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 8 other signatures 2->47 11 PaymentAdvice.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\ic4muy4.dll, PE32 11->29 dropped 57 Detected unpacking (changes PE section rights) 11->57 59 Maps a DLL or memory area into another process 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Contains functionality to prevent local Windows debugging 11->63 15 PaymentAdvice.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.brandschutzglas.com 81.19.159.73, 49732, 80 WORLD4YOUAT Austria 18->35 37 hispanicalinguablog.com 108.167.140.96, 49733, 80 UNIFIEDLAYER-AS-1US United States 18->37 39 13 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.59.242.153
 www.sgdivergence.com United States
395082 BODIS-NJUS true
35.214.93.182
 webinast.com United States
19527 GOOGLE-2US true
81.19.159.73
 www.brandschutzglas.com Austria
38955 WORLD4YOUAT true
52.142.208.184
 www.plataformaporelmarcanario.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true
75.126.101.233
 www.saturnkorp.net United States
36351 SOFTLAYERUS true
104.21.85.234
 www.dajiangzhibo12.com United States
13335 CLOUDFLARENETUS true
108.167.140.96
 hispanicalinguablog.com United States
46606 UNIFIEDLAYER-AS-1US true
34.102.136.180
 unmanglement.com United States
15169 GOOGLEUS false
66.96.162.131
 www.abolishlawinforcement.com United States
29873 BIZLAND-SDUS true
184.168.131.241
 puebloregentseniorliving.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true

Contacted Domains

Name IP Active
www.plataformaporelmarcanario.com 52.142.208.184 true
hispanicalinguablog.com 108.167.140.96 true
www.weatherdekniagara.com 154.90.117.58 true
www.sgdivergence.com 199.59.242.153 true
www.saturnkorp.net 75.126.101.233 true
www.abolishlawinforcement.com 66.96.162.131 true
www.dajiangzhibo12.com 104.21.85.234 true
webinast.com 35.214.93.182 true
puebloregentseniorliving.com 184.168.131.241 true
www.brandschutzglas.com 81.19.159.73 true
unmanglement.com 34.102.136.180 true
www.vtz6whu5254xb1.xyz 49.156.179.238 true
www.unmanglement.com unknown unknown
www.hispanicalinguablog.com unknown unknown
www.webinast.com unknown unknown
www.puebloregentseniorliving.com unknown unknown
www.anchor-little.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.saturnkorp.net/c22b/?GPi8=IngE1hDMC0iOqAB1zwheuQ4ABgAGAsEfCrT5hUpQaIJD49WyqmbZ7MrR+3GjstBYa8fc&ary=tXLpzhFpgBj4m true
  • Avira URL Cloud: malware
 unknown
http://www.dajiangzhibo12.com/c22b/?GPi8=5+EjqSxxsqb+AO0KDJIwjNuki1nPzn2WfN0f4mrczTU8JzwykOabyZiChtG34yjy1Q0j&ary=tXLpzhFpgBj4m true
  • Avira URL Cloud: safe
 unknown
http://www.puebloregentseniorliving.com/c22b/?GPi8=nmIfUlNr6AQSQgrNMPV2VDC5u2FNL4+2gZJ90khVvz7x9MdM6XesChhiT43O23KpZGxC&ary=tXLpzhFpgBj4m true
  • Avira URL Cloud: safe
 unknown
http://www.hispanicalinguablog.com/c22b/?GPi8=HpleEjmznmAp1mnh3ErPpAEFAwO205ds9NqRbSfPQGhA2yUrvNOqRplXRPY5sqn9sB27&ary=tXLpzhFpgBj4m true
  • Avira URL Cloud: safe
 unknown
http://www.abolishlawinforcement.com/c22b/?GPi8=1dQaaDtLo4hIlhJ7DhM80GCvP8/I8CX19D0/9AsPWTSM5A4Y138dKjOlANUgqZ625A7c&ary=tXLpzhFpgBj4m true
  • Avira URL Cloud: malware
 unknown
http://www.sgdivergence.com/c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m true
  • Avira URL Cloud: safe
 unknown
http://www.unmanglement.com/c22b/?GPi8=SZiv1CvNDlpERXMbnn5ZLbcWCJQi367u53ErGxikwJhkUqcV+jft+FDyZI7mP4A7IH+s&ary=tXLpzhFpgBj4m false
  • Avira URL Cloud: safe
 unknown
http://www.webinast.com/c22b/?GPi8=1WYFPCFAa+jpHIB9BnILU4C06qq5pGhvLsRWbgBa8h/dn7fbRDy+A9fX1Fi0Jb7woXre&ary=tXLpzhFpgBj4m true
  • Avira URL Cloud: safe
 unknown
http://www.brandschutzglas.com/c22b/?GPi8=3e8gwkl9NTrwQEJIdtc/OIQW/HZWnYYyjZ9yyX4Ij6bEtyT7BmhmgR072GygdN+xOVfM&ary=tXLpzhFpgBj4m true
  • Avira URL Cloud: safe
 unknown
http://www.plataformaporelmarcanario.com/c22b/?GPi8=zx0k4ABwBL0XDo/z29LcJNBul5/He8j/Xs403vcVS0JFFGbo2Kaumu3jNTCDwIeMd1g7&ary=tXLpzhFpgBj4m true
  • Avira URL Cloud: safe
 unknown
www.saturnkorp.net/c22b/ true
  • Avira URL Cloud: malware
 low