Windows Analysis Report payment_advice.exe

AV Detection:

Found malware configuration

Source: 6.0.RegSvcs.exe.400000.4.unpack

Malware Configuration Extractor: AsyncRAT {"Server": "185.222.57.80", "Ports": "6275", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "QezdxbEnAcR8YRyfVhhUW7fy58KZtsCM", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "20", "HWID": "null", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPsgY74fnNwbIPR6dDIAXTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwMTExMTUxMzQ3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAImeGbwefUPZlenM9ZLOLyWoIfTUQbvfSf2I4aTtRtrJV0PvNEvbnGLJBVZe2Pl0/07x8Tk2rB11VhT66e/qyj/1GaK2lCocdlZY1I5bbDPiVaENZ3Pd4XFA00Am9axKENbivQzVj9NT8HlT1ymPK1utCLa7IWfmf5SR76DG8iaClYf0QiNFizdty7Bmhnc5ZS9xFI7tWzao+K0Ds7iD0IEQvKPWVAdssV/Y0rDXxcNcYo0iKDU4Qln8Hwgeuqh+ZFSgwwYnbDCfyKHO85s7GCD4MluE6vYBla1guC8SRWvRTIop+edRyivzmQ17cX+9K6W/UcReXkrNe4UEDbSKNzxwp65yTww4B95eJEXiKzrmNpPq1jEs8okWRoPluIKi2SEOMQcUwb6VcNamWQxwnW2WMPswRpcFVedgU0mUTs4AzLhUt8vhf5e3zAs5fYY7G2NtNMUzXgR2AkhbG30dIguSUFxCiyoXL15+Z4aKudbOycqydKoeGghHd9Lgl78N7mjNuM0Ti5YNeHltKbqEb10P5K4ZaSaWQe2FjTTY0/PjTqwUGouJcXg+vG6JYcsfFw4a6n3kivC7AOPYsdvMLuq+D3Rg/wrlo7ZfgzvkZojzjBboBRDbMi57Y8W77i+VEb81VlPwmTcbzP6dFcrfJVmVOgDRW3q96OD9HxfMXQxZAgMBAAGjMjAwMB0GA1UdDgQWBBTaL3HojDpid9l5Z4ww/A0enwsLHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA4PTTl66juqXrGz2R4fBZ1Dy3CfIL590qgWNuzGTkqR2uC54F9gG0bhexUBfK5OZp0ypmQlfRIRw5e6bXXmizGmHXGKdirG4dIiwK2hh/9ENP7D8nafAeIaB935RopQHSR6qXrbm2IiJFJySnfZLCnWADOPq0zy3YlD62JA07DNvEyQKq7v128VkpFPGzCIeFBxcbrLvadpEv71py3DwZJU+FYn2tqFBZPTtVkZcPIlSdG2+f5lp1FlgTZa+p+5pUYrLyH5KI3BZBLpZy29j1/Yy/x5N6eVi7zHNoin4VtMlx8oSKxNfx8C66palvTiw3/Ga9NVyWkvFO43ddgMsdAfJ0CryfKLaK3D9vfd1HgdH6AFB+lHh51ANUeNgRnlngCQ5NZL9PTOBywiHV9aPV1lQPUlbE9SLlmgZfXDzxxHOE+eHR+FpOumMxrEiUAn/x3xRN6jgq1opAJ8dgK1JRx76pC3eXPvyNmz6NPUaVb2oOI+nBDdnAyUWlOY84JrycPi8qt0HbL7FOMhwJKk3wE7zdL32h+bRhef2VediBaEnPI38ZNk6Nn7lYkSifkhOeDTHR2WMo5TNEM+bMpb66/kySmGBEY7f4w0R8190mxufBfIYKeimOunDuRukbKXpNEnmkSPoysVZP9r/KmF0iE57g6FDmfF5ixPsz7B4OS4A==", "ServerSignature": "HIVbYAPWifBLFM1dIsEfxbnVJ30YJJhWw82LHYtKmHEC3g/lAwZ5luRjZRWAz1JR169Sn8cJckChtzpnJtaXs6xUOq3xWorDyH9CxmCYqSkPU3OLjEtGBWOhUlAkUyMsAegVguFE9yC3QsL7d9ry54trgH3tAg6a34DzC51v1nMppCNNKptEDh0p2rg8s1IotSV6LVOItcGaHuTjpqfTeXeg/eAL7+fWNw5FMH5j+j5OpNOELl2Y9mbJvjzZ7v7Ff5YXkcEopiyWuEW9eIjuNyOrBU0a9H9MOaSN091fxYLVYDYWVxzt1PbJWRdyLWE00EVdejlfQipA45wZVidw9RxD2O67SVlBO5mm+KQd80ISK1fbp3hZ9hX9OyH//2OwJPiL61w1i5owalTZMVlQ13Gfv1pubixjVVvO7aZwGlmEqWrGDqlyElrefhfni7aWdPIbeBaD1LSv91pHDOTzmrr0nePUF66dkKLcs/BwygcY+XesKJQROtWzWrkFc+jmezq8DIGGCEf+kwq+ZFb1LRxPGOFck8Qr2JS9rqdHbx+Mrmn+sxzk0Ozm9tFUmryKxIMct4fTiT0r6sD/LJyLQZPxH3IHYk36GLpqgOcjGLA3hFtkV41EjGuYNgLkB6ekG++kBHZtstmBNIyfOBmGOhy9BSJ8oAmjYzPP4ivKO7I=", "Group": "Default"}

Multi AV Scanner detection for submitted file

Source: payment_advice.exe

Virustotal: Detection: 24%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Source: 6.0.RegSvcs.exe.400000.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.0.RegSvcs.exe.400000.3.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.0.RegSvcs.exe.400000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.0.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 6.0.RegSvcs.exe.400000.1.unpack	Avira: Label: TR/Dropper.Gen

Compliance:

Uses 32bit PE files

Source: payment_advice.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: payment_advice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: StoreAssemblyFileEnumerati.pdb source: payment_advice.exe

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 185.222.57.80:6275 -> 192.168.2.4:49780

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49780 -> 185.222.57.80:6275

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.57.80

URLs found in memory or binary data

Source: RegSvcs.exe, 00000006.00000002.916656825.0000000004D51000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegSvcs.exe, 00000006.00000003.729913845.0000000004DAD000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729784959.0000000004D7A000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916656825.0000000004D51000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.730140141.0000000004DD1000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegSvcs.exe, 00000006.00000003.729391547.0000000004DFF000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729862344.0000000004DFD000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.730061783.0000000004DFD000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?783d96b3a4778
Source: RegSvcs.exe, 00000006.00000002.915733607.0000000000C19000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en~
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RegSvcs.exe, 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: payment_advice.exe, 00000000.00000003.655235756.0000000005A87000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: payment_advice.exe, 00000000.00000003.655385357.0000000005A86000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: payment_advice.exe, 00000000.00000003.658699195.0000000005ABD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/.
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: payment_advice.exe, 00000000.00000003.659974688.0000000005ABD000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.660089261.0000000005ABD000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.com3
Source: payment_advice.exe, 00000000.00000002.676129019.00000000012E7000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comalic
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: payment_advice.exe, 00000000.00000003.655057399.0000000005A84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: payment_advice.exe, 00000000.00000003.655057399.0000000005A84000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnen
Source: payment_advice.exe, 00000000.00000003.661610975.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661648739.0000000005AB7000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: payment_advice.exe, 00000000.00000003.661723557.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661610975.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661797055.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661694433.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661648739.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661846411.0000000005AB7000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.661760000.0000000005AB7000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/==FL
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: payment_advice.exe, 00000000.00000002.677352253.0000000006D52000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: payment_advice.exe, 00000000.00000003.655332882.0000000005A86000.00000004.00000001.sdmp, payment_advice.exe, 00000000.00000003.655385357.0000000005A86000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn.
Source: payment_advice.exe, 00000000.00000003.655332882.0000000005A86000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnKX

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected AsyncRAT

Source: Yara match	File source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR

Creates a DirectInput object (often for capturing keystrokes)

Source: payment_advice.exe, 00000000.00000002.675710014.0000000000F80000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: payment_advice.exe

Executable has a suspicious name (potential lure to open the executable)

Source: payment_advice.exe

Static file information: Suspicious name

Uses 32bit PE files

Source: payment_advice.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Detected potential crypto function

Source: C:\Users\user\Desktop\payment_advice.exe	Code function: 0_2_00F6C9B4		0_2_00F6C9B4
Source: C:\Users\user\Desktop\payment_advice.exe	Code function: 0_2_00F6EDF8		0_2_00F6EDF8
Source: C:\Users\user\Desktop\payment_advice.exe	Code function: 0_2_00F6EDE9		0_2_00F6EDE9
Source: C:\Users\user\Desktop\payment_advice.exe	Code function: 0_2_07378C80		0_2_07378C80
Source: C:\Users\user\Desktop\payment_advice.exe	Code function: 0_2_07378C70		0_2_07378C70
Source: C:\Users\user\Desktop\payment_advice.exe	Code function: 0_2_073719D8		0_2_073719D8
Source: C:\Users\user\Desktop\payment_advice.exe	Code function: 0_2_07370006		0_2_07370006
Source: C:\Users\user\Desktop\payment_advice.exe	Code function: 0_2_07370040		0_2_07370040

Sample file is different than original file name gathered from version info

Source: payment_advice.exe	Binary or memory string: OriginalFilename vs payment_advice.exe
Source: payment_advice.exe, 00000000.00000002.675291434.00000000007E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStoreAssemblyFileEnumerati.exe0 vs payment_advice.exe
Source: payment_advice.exe, 00000000.00000002.676514313.0000000003B99000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs payment_advice.exe
Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs payment_advice.exe
Source: payment_advice.exe, 00000000.00000002.677656360.0000000007260000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs payment_advice.exe
Source: payment_advice.exe, 00000000.00000002.675710014.0000000000F80000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs payment_advice.exe
Source: payment_advice.exe	Binary or memory string: OriginalFilenameStoreAssemblyFileEnumerati.exe0 vs payment_advice.exe

Sample is known by Antivirus

Source: payment_advice.exe

Virustotal: Detection: 24%

PE file has an executable .text section and no other executable section

Source: payment_advice.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\payment_advice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\payment_advice.exe "C:\Users\user\Desktop\payment_advice.exe"
Source: C:\Users\user\Desktop\payment_advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\payment_advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\payment_advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\payment_advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Creates files inside the user directory

Source: C:\Users\user\Desktop\payment_advice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment_advice.exe.log

Jump to behavior

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@0/1

.NET source code contains many API calls related to security

Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Helper/Methods.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\payment_advice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

.NET source code contains long base64-encoded strings

Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Settings.cs	Base64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Settings.cs	Base64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Settings.cs	Base64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Settings.cs	Base64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Settings.cs	Base64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy
Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Settings.cs	Base64 encoded string: 'OxIgfigWaWD1iHUQkeEwCdvodDPAi1aQlAZPn5SVm1QUEU4jYEbGk0yWdIU/60H8SwYv5trgfz03NwmViUXilA==', 'tFCMl5LJh9KfrD/2IrS9AyX6tWrTFx1M4x9C4I+3GtpJkzfqfQj4Ozg27QqlOGjnIZViSyYcTPhAR2oSTlnLUA==', 'MSBsdmTU6n0oJMzCViPKdbQcVuooQS8W+fnqVPDCz4uJIc4A/6Ds3caNv1Hyb6FIJW+NtmaqLg2BmglWJCX8BA==', 'O6ntXDPMMaGdtdyEGzG3WlrerqCFzHpIkowO4E70rQkKdOENpJMGuqEHcSK6CIRFQXMw75xS8RDFtne9hfWf+w==', 'rYAR6ZFxrMh0FYz6wXiSHzGZ+3DgrC+IFpxnzMLryD/8iUkXONk/OF4JpZJxEOS/CMFquJpiDMg/lQlvUebhqq5kUr/pvwu1JqlS4khngQ4=', 'i+GX60sC61HzbjzZ+x+BYGTJTzOq3teA/i9tuBsO/gYarARe5QBnTWJknu19YC/oEakO4kIGFq3ug9OqF4SLZ9kqxLiiNFxyEzjPjatcWvGbvHZ1N3dzoIZHjjfFK6QEil364t2xt/+vlZ7vcVlWHYh3pECNwHLv6bP918Hq+8K+J28xAvsc1p1LXGwcx3tPgmA0iyLjQvHU05ZbqMlGoeWIAvung3jS6iZNTNwIV7/+rxZPWgYp5F1wY+T0crZb6URR+MrLQxQ53xBvBUlehkJ2c0cPJgX2FjSV6636tVXU4Bfbp4qGvVYrO+MObu8djqUdF4p0hHyvJqcx7rzgjzd/wmdtXDZBLbujl7SsbZuCpYmkUfMRVAh4X36bf4IEx1UpB3tPI7S5lPEKPfjWhBT8FpchljCNhinKYRo63pMPXjy7HwQVDiR5aPlKcd1kotr1QmzAFHBNxJk3W8YU6npCEmzQy6cbTPr0R2nMxNLseUKe/7cIsZiJ/RcjvxMvJ7+kueJ5m/Vv+HmnUru7fgn3c7e4FfnO+lCaxhlafAsGBK7XzqlFVhyHqwUBnxSmtMa7hCaIZzzSDpmbFJv89AXtQDadFco0Eym7Hk7ytJiy5MbZlbrH/yE5AliTzUPde3fkqrx6UtReEzowZFQqSOnAprg/l61EWU6mE7cR7U0e9C6t4oi6Y7sTeQjJRQxgZKqwU1oNO1bmLNqN11KldjBkfmeA0zMoeae9wkgfJSOtz4IMYbiGomPEhxudS6F8Ep5/LWQA8HMrQhmqQcLV3e4VvzrS6p/TUpF2aRGdJ4vQj1rrb7YTfrv/XOuyb6YmxuS0OdgdmhLCQebTfzw+E4VWeLz5USfuQRC/fx9Z+g4hHD2NUgh3gyJo5BJ62aae0njRdsoYTKckcA5GTYMqFIeJgUKRGGaEbeyUzOKOONluQTNLhdOZCqC8tmZdjCgSpxMpCrfBe4enmY0t4goJV2szwmwYYVn4jDH2bzhkxb3Cvy7+kFFGiI8LwjlTjLgD7vVOwyGBC7rjsPlaWk/bd0MwnjXaU/g4F3Hix8h8ktvyDHE9YXEb3Wpq/8DhJBe0Es9nASF0grhnMmYceKpyjXZ5vF4m/3ZM5fR86oNbnFDffSJLA6DL98foLwuRQKX1lQ9DKZprw6n3KRuJrMkA+U/688Fq46DrqBiFIg6rHp4OxLITf+okyFNos5qZjRIKd9h/SYGwK38HLgraFBu923DZ26cERe68tTvg/8Bw0JzMUgjC6L8rgYqH5dHbLRsGq/5QknO+e0GTVuP03Sagya2xFYFeHxJpF4s1aRvU1LXoAZiWX96JXNokMkxjHbOq7pQOoJu3Ei6ytsewikIfuTT4QwLCrg5fenYyg4KK1ARwoxA1/VqXEHgL0TMcfHXgOrqPoRAeT0HG33zD8Iv9R7batQG5MTrEHbYiK9C6EF1Yxabl2R02l1RXNAmv4AF0FgIDa83+OUsLppRy+DqU1qNZ1TPeAXblzPcR72mXby1RAbvzgk5wDwZ+jl3onuaPkHTomEtaD73ewKi5VAJ4SNVvKqYNMXL3C22LqCrPbzRMr/7Pm+No/y+WaM0cyjb20G6/X+KaMrmY8EtE5DUGjhFtfsS0Uw+/iG90PDvlrQRyEbBXp8K0Lp80A7ekY6htMwhlz4493gY490JnL6nyAQk0lDTIozfIJi8kG0sFgFbZ+7kCRn5MRHDU6t2ed+3GQuuPHghXFcbUy7Ny7u25cF8D8/yOdHiXyVDFfDHQk0qLtp19MIrfxzuarkPbNCFZmi2aguluCkjwIilNqqOacj+F4M4+eSQmDCZ11EjupC9VM5GDTMEK8fphRIQ6jY6U4lJlL2PvGY9taigUmYSfVyuWeMtunjgdnUjVUvumwtdq1pVuvbY7a0meuxVaNhfpzJdAZMJ5mqt/E7AEhyVLsX7s3dBpwtRygssWi3F7/efq5i4ctevgwOAjWky7sUcxKhjV5lgCZ1Dujp7o0zkaCEc0F3A+tAzSec/snh0RITpl7UQ5HODjmru1Wglq9Fm2G/cb17yqQrgSK+GgWwYq2zOD2eo70wdrv+xTgNAkG9PG4ElwwoUwjkH4vzhedmX7UQOTBZC0oT6xpNnHfyVn+SxQZQPxMvU8VQlzj07xkLeA9RpQT5lI4fsQJCGNXAnfLCEWfl71T3GxwZo4nN6VCG+y+1Uv77YKCLvBAvrf9IBkDZvn+fIzFSeqx+Y4tW9qpGTVkalcdCx+27U1oi9s+AA8AYJa+Rtp0fXfi6ZiNYTvRQ9Yn01LL5pu2zy7W459ne3eVl3hgW8dOKlplPI56eIEVFIOcv4mfA5I9w4bo84=', 'UD1PDPUqAaUDOMi1WKy1rNywA25B40crLw+g04TouGIw6W+Yzpk8ucwK68/E1eYga0M8bDhHVvTs+ocTYk2zjw==', 'MSGZ5+w+qVLfLTQDxnLlRJTZukyu4ia9h39aAoekvc5QEAbaReGZlG3qN+Aecijd2p2U4jNAyWy

Creates mutexes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Users\user\Desktop\payment_advice.exe	Mutant created: \Sessions\1\BaseNamedObjects\lVlVHIKo

Reads the hosts file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\payment_advice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: payment_advice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: payment_advice.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: payment_advice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: StoreAssemblyFileEnumerati.pdb source: payment_advice.exe

Data Obfuscation:

.NET source code contains potential unpacker

Source: payment_advice.exe, zB/HE.cs	.Net Code: UP System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.payment_advice.exe.7e0000.0.unpack, zB/HE.cs	.Net Code: UP System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.payment_advice.exe.7e0000.0.unpack, zB/HE.cs	.Net Code: UP System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.RegSvcs.exe.400000.4.unpack, Client/Handle_Packet/Packet.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.0.RegSvcs.exe.400000.3.unpack, Client/Handle_Packet/Packet.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.0.RegSvcs.exe.400000.2.unpack, Client/Handle_Packet/Packet.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.2.RegSvcs.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.0.RegSvcs.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 6.0.RegSvcs.exe.400000.1.unpack, Client/Handle_Packet/Packet.cs	.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: payment_advice.exe, zB/HE.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 0.0.payment_advice.exe.7e0000.0.unpack, zB/HE.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
Source: 0.2.payment_advice.exe.7e0000.0.unpack, zB/HE.cs	.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\payment_advice.exe	Code function: 0_2_00F6D118 pushad ; ret		0_2_00F6D11D
Source: C:\Users\user\Desktop\payment_advice.exe	Code function: 0_2_0737C8DE push dword ptr [edx+ebp*2-75h]; iretd		0_2_0737C8E7

Boot Survival:

Yara detected AsyncRAT

Source: Yara match	File source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\payment_advice.exe TID: 1844	Thread sleep time: -36067s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe TID: 1680	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\payment_advice.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1646			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8095			Jump to behavior

Queries a list of all running processes

Source: C:\Users\user\Desktop\payment_advice.exe

Process information queried: ProcessInformation

Jump to behavior

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\payment_advice.exe	Thread delayed: delay time: 36067			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Checks the free space of harddrives

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000006.00000003.870591239.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916835494.0000000004E0A000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.731607572.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.763571335.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729974130.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.915834995.0000000000CFD000.00000004.00000020.sdmp, RegSvcs.exe, 00000006.00000003.730070432.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.763654663.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.759536490.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.729404106.0000000004E08000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000003.761156327.0000000004E08000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: payment_advice.exe, 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\payment_advice.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\payment_advice.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Source: C:\Users\user\Desktop\payment_advice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 40E000			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 410000			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 702008			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\payment_advice.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\payment_advice.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\payment_advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: RegSvcs.exe, 00000006.00000003.759450957.0000000004DAB000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmp, RegSvcs.exe, 00000006.00000003.731548600.0000000004DAB000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916656825.0000000004D51000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916100896.00000000029CB000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916118306.00000000029D1000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916083911.00000000029C4000.00000004.00000001.sdmp, RegSvcs.exe, 00000006.00000002.916161929.00000000029ED000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000006.00000002.915889249.00000000012A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: RegSvcs.exe, 00000006.00000003.759450957.0000000004DAB000.00000004.00000001.sdmp	Binary or memory string: Program ManagerB5210E87

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Users\user\Desktop\payment_advice.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\payment_advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\payment_advice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Yara detected AsyncRAT

Source: Yara match	File source: 6.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.payment_advice.exe.2c066e4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.674008993.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.673297148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915982123.0000000002961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.674336932.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.915347249.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676199405.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.673592493.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment_advice.exe PID: 6548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4204, type: MEMORYSTR

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct